Re: Encrypted chat - Anonymous identification protocol

bram (bram@gawth.com)
Tue, 1 Sep 1998 11:49:50 -0700 (PDT)

• Next message: C Matthew Curtin: "Re: Announcing: WWW Cryptography Article Database"
• Previous message: David Honig: "Re: Steganography via Arithmetic Compression"
• Next in thread: David Jablon: "Re: Encrypted chat - Anonymous identification protocol"

On 1 Sep 1998, Ray Jones wrote:

> if the number of possible secrets is small, then both of these methods
> fall to a dictionary attacks, though in the second case, Bob has to
> spend quite a while on the phone.

That's the problem - in the application I mentioned, there's a very small
number of messages which it's very likely that either Alice or Bob might
have (to say 'pass', they simply make up some random garbage for their
secret key, effectively making the chances of a match zero.)

I think it might be necessary to resort to secure circuit evaluation. Does
anybody know how practical that is? Hal Finney showed at crypto '98 that
it's possible to do a zero knowledge proof of sha1 inversion in only 6
megs, which I find rather amazing.

-Bram

• Next message: C Matthew Curtin: "Re: Announcing: WWW Cryptography Article Database"
• Previous message: David Honig: "Re: Steganography via Arithmetic Compression"
• Next in thread: David Jablon: "Re: Encrypted chat - Anonymous identification protocol"