tag:blogger.com,1999:blog-642244788469558745.post4847098540508581169..comments2020-01-12T17:31:50.949+02:00Comments on Garden Path Trajectory: A Hands-On Tutorial for Zero-Knowledge Proofs: Part IIIShir Peledhttp://www.blogger.com/profile/09979031232145173473noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-642244788469558745.post-67010884141595155932019-01-27T08:10:17.337+02:002019-01-27T08:10:17.337+02:00Depends on how you define the protocol. In its int...Depends on how you define the protocol. In its interactive form (without the Fiat-Shamir heuristic) yes, recording the prover's answers will not be useful, since the verifier provides different bits of randomness on every query. <br />Consider this point - maybe I listened in on a few rounds of communications, but then when I want to mimic an honest prover, I half to start a round of communication by sending the root of some Merkle tree. Which one do I send? The one from the first query I listened to? But then, what if the verifier asks for a leaf in the tree that is not the exact one that it asked for when interacting with the honest prover? I can't forge authentication path to make it all work...<br /><br />On the other hand - for the case of non-interactive proofs, which is what we built here - of course you can pretend to be an honest prover. But this is not an issue, because what we're proving is not a question of identity, but rather a question of computational integrity. That is to say - we're not proving that the prover is honest, but that the claim is true. If such a proof exists then the claim is true, no matter who claims it, so there's no biggie that someone can prove it.Shir Peledhttps://www.blogger.com/profile/09979031232145173473noreply@blogger.comtag:blogger.com,1999:blog-642244788469558745.post-38649163676301115602019-01-24T22:25:31.442+02:002019-01-24T22:25:31.442+02:00Great series, thanks! If the verifier executes the...Great series, thanks! If the verifier executes the protocol n+1 times (one for each element of p), and a third party records the responses from the prover, is it true that this third party could, when challenged by the verifier, appear as if it knows the secret (m) by just replaying the responses? Is there any way to fix this? In general, I'm looking for a ZK protocol that is resistant to this kind of replay attacks.Ĺ atovhttps://www.blogger.com/profile/08989667074288503167noreply@blogger.com