Re: Digesting hex instead of binary?



"Mark Wooding" <mdw@xxxxxxxxxxxxxxxx> wrote in message
news:slrnegadt0.ftk.mdw@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
the
idea of a zero-knowledge scheme for a shared secret is nonsensical, or
at least thoroughly unhelpful.

I find it quite the opposite. And your example shows why, I will call it a
Full-Knowledge Proof. A fake server can collect arbitrary shared secrets,
simply by listening to the clients spill the knowledge, in fact your example
completely violates the third rule:

* Zero knowledge: for any verifier V, there exists a simulator S such
that transcripts of V interacting with P are indistinguishable from
transcripts which S can produce with oracle access to V (but without
the auxiliary input s).


I claim that the trivial `here's my secret' protocol is `zero-
knowledge'.

It is not, it violates the additional rules that you skipped, in particular
that determining x from V(x) is impossible. In your example V is the
identity algorithm and as such can be trivially reversed.

There is plenty of reason to use ZKPs in the majority of shared secret
situations, and avoiding a MITM collecting the data (as would easily happen
in your example) is a perfectly good one. A good ZKP in this situation will
also provide forward secrecy.
Joe


.