I think this is a case for additional protective mechanisms to extend the protocol
semantics (there is nothing in the protocol prohibiting the verifier to perform a
verification on behalf of a third party, which is the vulnerability exploited in the
Mafia Fraud attack). This 'challenge-relay' can easily be defeated if the verifier (in
the Mafia Fraud case that's Bob and Dave) is required to digitally sign their
challenges. If challenges are signed then Alice will only proceed with the rest of the
protocol run if the challenge indeed comes from Bob; Carol can still pass Dave's
challenges to Bob but Alice will refuse to perform the protocol run having noticed
that the challenges do not come from Bob. The optimised versions of the
Feige-Fiat-Shamir and Guillou-Quisquater protocols make signing easier since they
employ a vector of challenges to perform multiple accreditations- in order to avoid
multiple messages.
Regards,
Dimitrios Petropoulos
> I'm reading about zero knowledge identity proofs and 'The Mafia Fraud' in
> Applied Cryptography. Has no one found a way to perform an identity proof
> such that you can prove who you are to a specific person? In the example in
> the book Alice proves who she is to Bob who transmits to Carol, and Carol
> proves that she is Alice to Dave. I'm curious what the problem is with
> creating a proof that Alice is Alice such that only Bob can be assured that
> she is Alice so that Carol can't use the proof to identify who she is to
> Dave.
>
> --
> Groove On Dude
> Michael Conlen
> Obfuscated Networking
> [EMAIL PROTECTED]
>
-----------------------------------------------------------------
Visit our Internet site at http://www.reuters.com
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Reuters Ltd.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]