General Cryptographic Protocols - Foundations of Cryptography-A Primer

Cryptography Reference

In-Depth Information

n , and sends it to

A , which is supposed to reply with a pair of n -bit long strings,

denoted ( β, γ ). Party P checks whether or not f ( αβ )= γ .In

case equality holds, P sends A some secret information (e.g.,

the secret-key corresponding to P 's public-key).

For v =2: Party A is supposed to uniformly select α

For v =1: Party P uniformly selects α ∈{ 0 , 1 }

n ,and

∈{

0 , 1

}

n , and replies

sends it to P , which selects uniformly β ∈{ 0 , 1 }

with the pair ( β, f ( αβ )).

Observe that P 's strategy (in each case) is zero-knowledge (even w.r.t

auxiliary-inputs as defined in Definition 4.1): Intuitively, if the adver-

sary A chooses the case v = 1, then it is infeasible for A to guess a

passing pair ( β, γ ) with respect to a random α selected by P .Thus,

except with negligible probability (when it may get secret informa-

tion), A does not obtain anything from the interaction. On the other

hand, if the adversary A chooses the case v = 2, then it obtains a pair

that is indistinguishable from a uniformly selected pair of n -bit long

strings (because β is selected uniformly by P ,andforany α the value

f ( αβ ) looks random to A ). In contrast, if the adversary A can conduct

two concurrent executions with P , then it may learn the desired secret

information: In one session, A sends v = 1 while in the other it sends

v = 2. Upon receiving P 's message, denoted α , in the first session,

A sends it as its own message in the second session, obtaining a pair

( β, f ( αβ )) from P 's execution of the second session. Now, A sends the

pair ( β, f ( αβ )) to the first session of P , this pair passes the check, and

so A obtains the desired secret.

An attack of the above type is called a relay attack : During such an

attack the adversary just invokes two executions of the protocol and

relays messages between them (without any modification). However,

in general, the adversary in a concurrent setting is not restricted to

relay attacks. For example, consider a minor modification to the above

protocol so that, in case v =2,party P replies with (say) the pair

( β, f ( αβ )), where α = α

1 |α| , rather than with ( β, f ( αβ )). The modi-

fied strategy P is zero-knowledge and it also withstands a relay attack,

but it can be “abused” easily by a more general concurrent attack.

⊕

Search WWH ::

Custom Search

Home