Re: Digesting hex instead of binary?

"Mark Wooding" <mdw@xxxxxxxxxxxxxxxx> wrote in message
idea of a zero-knowledge scheme for a shared secret is nonsensical, or
at least thoroughly unhelpful.

I find it quite the opposite. And your example shows why, I will call it a
Full-Knowledge Proof. A fake server can collect arbitrary shared secrets,
simply by listening to the clients spill the knowledge, in fact your example
completely violates the third rule:

* Zero knowledge: for any verifier V, there exists a simulator S such
that transcripts of V interacting with P are indistinguishable from
transcripts which S can produce with oracle access to V (but without
the auxiliary input s).

I claim that the trivial `here's my secret' protocol is `zero-

It is not, it violates the additional rules that you skipped, in particular
that determining x from V(x) is impossible. In your example V is the
identity algorithm and as such can be trivially reversed.

There is plenty of reason to use ZKPs in the majority of shared secret
situations, and avoiding a MITM collecting the data (as would easily happen
in your example) is a perfectly good one. A good ZKP in this situation will
also provide forward secrecy.