Presentation on theme: "Moni Naor מוני נאור Cryptography and Sudoku"— Presentation transcript:
1Moni Naor מוני נאור Cryptography and Sudoku WEIZMANN INSTITUTE OF SCIENCEמוני נאורJoint work with: Ronen Gradwohl, Benny Pinkas, Guy Rothblum
2Alice and Bob talk while Eve tries to listen What is Cryptography?Traditionally: how to maintain secrecy in communicationAlice and Bob talk while Eve tries to listenBobAliceEveEve
3Cryptography Very ancient occupation Biblical times: Atbash in Jeremiahאיך נלכדה ששך ותתפש תהלת כל הארץאיך היתה לשמה בבל בגוייםEgyptian HieroglyphsUnusual ones...Many interesting books and sources, especially about the Enigma (WW2)
4Modern TimesThe Study of the resources needed to solve computational problemsUp to the mid 70’s: classified military workException: Shannon, Turing*Since then - explosive growthCommercial applicationsScientific work: tight relationship with Computational Complexity TheoryMajor works: Diffie-Hellman, Rivest, Shamir and Adleman (RSA)Recently: more involved models for more diverse tasks.How to maintain the secrecy, integrity and functionality in computer and communication system.Prevalence of the Internet:Cryptography is in the news (daily!)Cryptography is relevant to ``everyone” - security and privacy issues for individuals
5Computational Complexity Theory Study the resources needed to solve computational problemsComputer timeComputer memoryCommunicationParallelismRandomness…Identify problems that are infeasible to compute by any reasonable machineTaxonomy: classify problems into classes with similar properties wrt the resource requirementsHelp find the most efficient algorithm for a problemA computational problem:multiplying two numbers,selecting a move in a chess positionFind the shortest tour visiting all citiesP=NP?
7SudokuFill in the empty entries in the grid so that every row, every column, and every 3 x 3 subgrid contains the digits 1 through 9.
8SudokuFill in the empty entries in the grid so that every row, every column, and every 3 x 3 subgrid contain the digits 1 through 9.Can be generalized to an nn grid, where n=k2.The size of an instance is O(n2log(n)) bits.Nothing special about the numbers 1…9.
9The Plot Veronica Paul Oh yeah? Prove it! I know the solution! Well, I could show you, but……I don’t want to tell you how to solve it…Paul
10Zero-Knowledge Proofs Paul wants to prove that “A is true”BlahBlah?BlahBlah?Blah!Oh!If “A is true”: Veronica is convinced, but doesn’t learn about A! She can’t prove that “A is true”.
11Why Study Zero-Knowledge Proofs? Authentication: prove your identity to someone using secret information, without revealing the secretForce malicious adversaries to act according to protocolWhy study zero-knowledge for Sudoku?It has nice propertiesIt’s educational – everybody knows SudokuIt’s FUN!Design protocol with benign adversaries.Then compile to withstand malicious ones
12OutlineDefinitionsPhysical modelA basic protocol2 variations
13Interactive ProofProbabilistic protocol between 2 parties: Prover and VerifierBoth know instance of a problemProver might know a witness/solutionPlayers “chat”, and at the end, verifier accepts or rejectsCompleteness: probability that honest verifier accepts correct proofSoundness error: probability that verifier accepts incorrect proof
14Set of problems that have efficient verification Zero-Knowledge ProofInteractive ProofZero-knowledge property:Whatever Verifier learned from Prover,could have learned by himselfExists efficient Simulator that can simulate conversation, without access to Proverzero-knowledge proof for all NPProof of 3-colorabilityProof for HamiltonicitySet of problems that have efficient verification
15Means: easy to verify solutions Sudoku and ComplexitySudoku is in NPMeans: easy to verify solutionsIn fact: Sudoku is NP Complete – not all that relevantThere are zero-knowledge proofs for all problems in NPTherefore there is a ZK proof for Sudoku.Direct ZK proofs for Sudoku are preferable:Efficiency: avoiding the overhead of the reductionPracticality: Implementable without the aid of computersUnderstandability (by non-experts!): Ensure that participants have intuitive understanding of the proof.
16Physical Objects Typical Cryptographic metaphor: Physical “locked box” Hard to find physical locked box that:Can never be openedAre readily availableHave transparent operationTamper-evident sealTampering is evidentCan open, but can’t resealScratch-off card, sealed envelope
17Scratch-Off Cards Can’t tell them apart (until unsealed) Can shuffle them effectivelyLike picking a random permutationCan triplicate themStronger requirementUsed in perfect soundness protocol
18Human BehaviorPaul and Veronica are in same roomShuffling: Paul wants a fair shuffle, Veronica wants to make sure no cards were switchedMore benign adversary:Either protocol works, or cheating player is labeled a “cheater”
19Playing Cards Can use playing cards instead of scratch-off cards: Sealing = turning card face downRevealing = turning it face upNot really tamper evidentWorks when players in same room, watching each other
20A Simple Physical Protocol Flip coin: rows or columns?
22A Simple Physical Protocol Props: 81 sealed scratch-off cards, and a board with 81 cells (like Sudoku)P places a sealed card on each cellCorresponding to his solution“filled-in” values are unsealedV chooses one of rows/cols/subgridsP makes packet for each row, shuffles itV takes each packet, unseals cards, verifies that each contains cards 1…9If yes -- accept, otherwise reject
23Analysis Completeness: perfect Soundness: cheating P must cheat in one of rows, columns, or subgridsP is caught with probability ≥ 1/3Zero-knowledge: V only sees some permuted values of 1…9
26Better Soundness Props: 81 scratch-off cards P places 3 cards on each cell, corresponding to solutionFor each cell, V assigns each card to one of rows/cols/subgrids, collects to corresponding packetP shuffles each of 27 packetsV takes each packet, unseals cards, verifies that each contains 1…9If yes -- accept, otherwise reject
27Analysis of Soundness P can no longer cheat as before New way to cheat: 3 cards on a cell are not the same valueSay some cell gets 3 values, not all the same.One of three cards is different from othersBelongs to one of rows/cols/subgridso/w P is always caught cheatingV assigns card to correct row/col/subgrid with probability at most 1/3⇒ Cheating P caught with probability 2/3Actually: can show that P is caught with probability 8/9At least 2 cells are mislabeled
28Reducing Number of Shuffles Previous protocol required 27 shuffles. Too much!New protocol: same as before –3 cards on each cellV assigns each to row/col/subgridMake 27 packetsFor each packet, V assigns a random number 1…cFor each i, P assembles all packets with number iP shuffles each of c pilesV takes each pile, unseals cards, verifies that each contains correct number of cards 1…9.If yes -- accept, otherwise reject
29Analysis Only c shuffles required Soundness: With probability 8/9, some packet j is unbalancedHowever, two unbalanced packets, if shuffled together, may balance each otherSuppose all packets except j are assigned to one of c pilesIf piles are balanced, then assigning j will cause imbalance ⇒ P will be caughtIf 2+ piles are unbalanced ⇒ P will be caughtIf 1 pile is unbalanced, j will balance it only if assigned to it, with probability 1/c⇒ Cheating P is caught with probability 8(c-1)/9c
30Perfect SoundnessIf 3 cards on each cell are guaranteed to have same value, cheating P would always get caught!Implementing triplicate:With trusted setup: 3 cards (with same value) are connected and can be torn apartWithout trusted setup:Use colors instead of numbersEach card is a circle, prepared by PV cuts each card into 3 equal pieces (randomly)If card was not uniformly colored, random cut will reveal non-uniformity when card is scratched333
31Perfect Soundness with a trusted copy machine: Prepare three copies of the solution.Puzzle should be printed on the back.One copy is cut along the rowsOne copy is cut along the columnsOne copy is cut along the subgridsEach strip is then cut into cellsThe cells are shuffled (or sorted by the prover)Verifier checks thatall values 1…9 are thereThe “filled-in” cells have the same values on both sidesTo prove that the correct puzzle was solved
32Cryptographic Protocols ALICEBOBProtocolsZero-knowledge proofsSecure computationEncryptionAuthenticationDigital signaturesCryptographic protocols: proceed by exchanging digital messageAssumptions needed: existence of a one-way function
33Open problems: Implement physical protocol over the mail? Parties need not be in the same roomPossible to implement commitments from scratch-off cards.However, an amplification stage requires many repetitionsNot easy for humansOther puzzles?
35Cryptography Today Cryptography is a very active research area Research activities range:providing firm foundationsRelationship with complexity theoryproviding actual constructions and analysis for specific needs.Some recent topicsObfuscation of programsMaintaining privacy of released dataVoting Schemes