Cryptography Reference
In-Depth Information
X is true
!
X
??
?
!
?
!
!
Fig. 4.1 Zero-knowledge proofs - an illustration.
ior. The definition of the “benign behavior” captures what we want
to achieve in terms of security, and is specific to the security concern
to be addressed. For example, in the previous paragraph, we said that
a proof is zero-knowledge if it yields nothing (to the adversarial veri-
fier) beyond the validity of the assertion (i.e., the benign behavior is any
computation that is based (only) on the assertion itself, while assuming
that the latter is valid). Other examples are discussed in Sections 5.1
and 7.1.
A notable property of the aforementioned simulation paradigm, as
well as of the entire approach surveyed here, is that this approach is
overly liberal with respect to its view of the abilities of the adversary
as well as to what might constitute a gain for the adversary. Thus,
the approach may be considered overly cautious, because it prohibits
also “non-harmful” gains of some “far-fetched” adversaries. We warn
against this impression. Firstly, there is nothing more dangerous in
cryptography than to consider “reasonable” adversaries (a notion which
is almost a contradiction in terms): typically, the adversaries will try
exactly what the system designer has discarded as “far-fetched”. Sec-
ondly, it seems impossible to come up with definitions of security that
distinguish “breaking the scheme in a harmful way” from “breaking it in
a non-harmful way”: what is harmful is application-dependent, whereas
a good definition of security ought to be application-independent (as
otherwise using the scheme in any new application will require a full
re-evaluation of its security). Furthermore, even with respect to a spe-
