I just came across this PhD thesis in philosophy: "Cryptography and Evidence" Michael Roe http://www.research.microsoft.com/users/mroe/THESIS.PDF I have just started to read it. The thesis aims to give a careful account of just what a protocol can and can *not* establish in the context of repudiation. I'm pretty excited to see it, because I know of little material on ZKPs from a "philosophical" point of view (besides Cypherpunks archives). What's more, the discussions I have seen with friends and such tend too often to focus on the probabilistic nature of ZKPs, most often questioning whether a probabilistic "proof" is a contradiction in terms. This isn't interesting to me - not least because you can make perfectly rigorous statements about the soundness of ZKPs. In the end, no matter what you call it, it must convince you. Better, but still short of the discussion I'd like, is that found in "The Ongoing Value of Proof" Gila Hanna http://fcis.oise.utoronto.ca/~ghanna/pme96prf.html which shows an understanding of what ZKPs are, but regretfully limits itself only to a brief comment that "..the most significant feature of the zero-knowledge method is that it is entirely at odds with the traditional view of proof as a demonstration open to inspection. This clearly thwarts the exchange of opinion among mathematicians by which a proof has traditionally come to be accepted." I wish the author had commented more, because as it stands I do *not* think that it is so clear that a ZKP is "entirely at odds" with the traditional view of proof. The interaction in a ZKP is certainly a "demonstration," and every round is open to inspection. Perhaps you could argue that the commitments used in ZKPs create a part of a ZKP "not open to inspection," but the commitment values and decommits certainly are open to inspection, so how far can you push this? If you're familiar with Wittgenstein's "say vs. show" distinction, this is how I might put it as a rough guide -- a ZKP's transcript is simulable, therefore "says nothing," but the interaction "shows" the truth of a proposition. (To some bounded probability of error.) Does anyone know of other works which comment on ZKPs from standpoints in philosophy? (or otherwise outside the usual standpoint of trying to develop new technical results about ZKPs?) Thanks, -David
On Mon, Jan 29, 2001 at 02:52:03AM -0500, dmolnar wrote:
I just came across this PhD thesis in philosophy:
"Cryptography and Evidence" Michael Roe http://www.research.microsoft.com/users/mroe/THESIS.PDF
Are you sure this is a thesis in philosophy? It seems to talk about the rather practical concerns of non-repudiation and its converse, plausible deniability. The paper reminds me of something I was wondering about: are there any email security programs that offer plausible deniability as an option? Sometimes you want to MAC a message with an authenticated symmetric key instead of signing it in order to preserve plausible deniability, but PGP for example doesn't seem to offer this.
You're right - now that I look at it in more depth, I'm not at all sure that it's a PHD in philosophy. As opposed to just an ordinary doctorate in some other field. Thanks for pointing this out... This makes me even more interested to find material which discusses zero-knowledge proofs from, say, a philosophy of math standpoint. or anything "interesting" yet outside the usual technical standpoint. As for your question, I don't know of any e-mail software which offers plausible deniability. Maybe something to add to gpg? -David On Wed, 31 Jan 2001, Wei Dai wrote:
On Mon, Jan 29, 2001 at 02:52:03AM -0500, dmolnar wrote:
I just came across this PhD thesis in philosophy:
"Cryptography and Evidence" Michael Roe http://www.research.microsoft.com/users/mroe/THESIS.PDF
Are you sure this is a thesis in philosophy? It seems to talk about the rather practical concerns of non-repudiation and its converse, plausible deniability. The paper reminds me of something I was wondering about: are there any email security programs that offer plausible deniability as an option? Sometimes you want to MAC a message with an authenticated symmetric key instead of signing it in order to preserve plausible deniability, but PGP for example doesn't seem to offer this.
participants (2)
-
dmolnar -
Wei Dai