Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Date: Wed Mar 07 2001 - 16:57:09 CST
Ben Laurie writes:
> halfinney.org wrote:
> > Ben Laurie writes:
> > > Right, but she can also plausibly say "I really did send the message to
> > > Bob, but I've lost the key because of a hard disk crash, so I can no
> > > longer prove it".
> > Anyone can _say_ anything. How does your scheme prevent this "my dog
> > ate the evidence" excuse? Suppose she never sent anything to Bob,
> > but she claims that she completed your whole protocol, got the response
> > back from him and everything, and then oh dear, her computer crashed.
> > Why would you believe her?
> I wouldn't - but Bob would be able to read the message if she had done
> it, and if she hadn't, she would be unable to produce his signature.
Maybe I see what you're saying now. In the alternative protocol (without
ZK proof) Alice could claim that she lost the data that would allow
her to prove that the Trent encryption was proper, but still have the
signature back from Bob. And you're suggesting (maybe) that this would
still constitute proof that Bob could have read the message, even though
there is no evidence that she sent him the proper key. But I don't think
this actually constitutes proof, so I don't understand your objection,
if this is it.
> That's my aim: if Alice can prove Bob could read the message, than Bob
> really could.
I'd say the protocol without ZK proof accomplishes this.
> If Bob provides Alice with proof, he does so in exchange
> for the ability to read the message (in contrast to the other protocols
> discussed so far, where he does so in exchange for either the ability to
> read the message or the ability to show Alice cheated [or for Alice to
> claim she didn't cheat but can no longer prove it]).
This is a different requirement than in the "that's my aim" part above.
The earlier one dealt with what Alice could prove. This one deals with
what Bob will be able to do with the message.
Unfortunately I don't think you can clearly define what it means for
Bob to be assured of the ability to read "the message". You earlier
suggested that Alice could prove in ZK that the key would decrypt to
data in some particular format, like a message preceded by its hash.
But that wouldn't prevent the message from being garbage. There is
no way Bob can be assured that the message will be something he wants
to see, in exchange for giving his signature.