I'm not hep to the identification scheme literature, but I'll just a note
that in Dimitrios's scheme, Alice can't just sign the challenge, but must
also include Dave's signature in her signature. That is, Alice must sign all
of {S_dave(challenge), challenge}, not just the challenge by itself. And
Dave has to verify that both the challenge and his signature were signed by
Alice. Otherwise, Bob could just masquerade Dave's challenge.
Marc
[EMAIL PROTECTED] wrote:
>
> I think this is a case for additional protective mechanisms to extend the
> protocol semantics (there is nothing in the protocol prohibiting the
> verifier to perform a verification on behalf of a third party, which is
> the vulnerability exploited in the Mafia Fraud attack). This
> 'challenge-relay' can easily be defeated if the verifier (in the Mafia
> Fraud case that's Bob and Dave) is required to digitally sign their
> challenges. If challenges are signed then Alice will only proceed with
> the rest of the protocol run if the challenge indeed comes from Bob;
> Carol can still pass Dave's challenges to Bob but Alice will refuse to
> perform the protocol run having noticed that the challenges do not come
> from Bob. The optimised versions of the Feige-Fiat-Shamir and Guillou-
> Quisquater protocols make signing easier since they employ a vector of
> challenges to perform multiple accreditations- in order to avoid
> multiple messages.
>
> Regards,
> Dimitrios Petropoulos
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]