Alice has a bank account number, but has forgotten which bank it is for. There a

Question

Alice has a bank account number, but has forgotten which bank it is for. There are 4 banks, run by Bob, Carlos, David, and Eve.

She could find out by going to all of the banks and asking if they have the account number. However, if Eve learns Alice's account number, then Eve will go to Alice's actual bank and steal all of Alice's money.

Alice could hash the bank account number, and ask about the hash, but since the account number is only 8 digits, Eve could bruteforce the hash anyway. Then, Eve will go to Alice's bank and steal all of her money.

Alice could use a Zero Knowledge Proving Protocol, but how would the bank know which account number to check against without repeating the ZKPP for every account number? Each of them has thousands of customers.

Explanation / Answer

As nightcracker notes in the comments, the real problem in your bank scenario is that the account number is doing double duty as both an identification token and as an authentication token.

The solution is equally simple: make the account number public and use it only for identification. Have Alice's bank issue her another number (let's call it a PIN) that isn't required to identify her account, but is required to withdraw money from it.

Of course, if some of the other banks are untrustworthy, they might claim to have Alice's account and ask for her PIN, only to then use it to steal money from her real account. To prevent this, Alice could (as you suggest) use a zero-knowledge proof protocol to verify her PIN to her real bank without allowing an impostor bank to learn it. Since the bank does know Alice's account number, they can use it to look up Alice's account information and verify her PIN against it.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.