Download presentation

Presentation is loading. Please wait.

Published byMariah Wainscott Modified over 2 years ago

1
Wonders of the Digital Envelope Computational complexity based cryptography Theoretical ideas behind e-commerce and the internet revolution

2
Lecture III - plan - Cryptography before computational complexity - The ambitions of modern cryptography - The assumptions of modern cryptography - The digital envelope and its power - Zero-knowledge proofs - Private communication - Oblivious computation

3
Cryptography before computational complexity Secret communication Assuming shared information which no one else has

4
What do we want to do?

5
Modern Cryptography The basic conflict between: Secrecy / Privacy Resilience / Fault Tolerance TasksImplements Encryption Identification Driver License Money transfer Notes, checks Public bids Sealed envelopes Code books

6
Modern Cryptography TasksImplements Info protection Locks Poker game Play cards Public lottery Coins, dice Sign contracts Lawyers Digitally, with no trusted parties ALLNONE

7
What are we assuming?

8
Axiom 1: Agents are computationally limited. Consequence 1: Only tasks having efficient algorithms can be performed

9
Easy and Hard Problems asymptotic complexity of functions Multiplication mult(23,67) = 1541 grade school algorithm: n 2 steps on n digit inputs EASY Can be performed quickly for huge integers Factoring factor(1541) = (23,67) best known algorithm: exp( n) steps on n digits HARD? We dont know! Well assume it. Axiom 2: Factoring is hard!

10
p,qp q Easy Impossible Theorem: Axioms digital Axiom 1: Agents are computationally limited Axiom 2: Factoring is hard

11
xE(x) Easy Impossible One-way functions Axiom 1: Agents are computationally limited Axiom 2: The exist one-way functions E Example: E(p,q) = p q E is multiplication We have other Es Easy Impossible Natures one-way functions: 2 nd law of Thermodynamics

12
Properties of the Envelope E(x) x Easy to insert x (any value, even 1 bit) Hard to compute content (even partial info) Impossible to change content (E(x) defines x) Easy to verify that x is the content Cryptography Theorem : OPEN CLOSED

13
The power of the digital envelope Examples of increasing difficulty Mind games of the 1980s – before Internet & E-commerce were imagined

14
Public bid (players in one room) Phase 1: Commit Phase 2: Expose E (130)E (120)E (150) Theorem: Simultaneity $150$120$130

15
Public Lottery (on the phone) AliceBob Bob: flipping... You lost! Theorem: Symmetry breaking Alice: if I get the car (else you do) What did you pick? Bob: flipping... Blum 1981

16
Identification / Passwords Public password file NameE (pswd)… aliceP alice =E (…)… aviP avi =E (einat)… bobP bob =E (…)… Computer: 1 checks if E (pswd)= P avi 2 erases password from screen login: avi password: einat

17
Theorem: Identification Problem: Eavesdropping & repeated use! Wishful thinking: Computer should check if I know x such that E (x)=P avi without actually getting x Zero-Knowledge Proof: Convincing Reveals no information

18
Copyrights Dr. Alice: I can prove Riemanns Hypothesis Dr. Alice: Lemma…Proof…Lemma…Proof... Prof. Bob: Impossible! What is the proof? Prof. Bob: Amazing!! Ill recommend tenure Amazing!! Ill publish first

19
Zero-Knowledge Proof Claim BobAlice (proof) Accept/Reject Claim false Bob rejects Claim true Bob accepts Bob learns nothing with high probability Goldwasser-Micali -Rackoff 1984

20
The universality of Zero-Knowledge Theorem: Everything you can prove at all, you can prove in Zero-Knowledge Goldreich-Micali -Wigderson 1986

21
ZK-proofs of Map Coloring Input: planar map M 4-COL: is M 4-colorable? 3-COL: is M 3-colorable? YES! HARD! Typical claim: map M is 3-colorable Theorem [GMW] : Such claims have ZK-proofs

22
Q P F MO N L K J I H G E C B D A Ill prove this claim in zero-knowledge Claim: This map is 3-colorable (with R Y G ) Note: if I have any 3-coloring of any map Then I immediately have 6

23
Q P F MO N L K J I H G E C B D A Structure of proof: Repeat (until satisfied) - I hide a random one of my 6 colorings in digital envelopes - You pick a pair of adjacent countries - I open this pair of envelopes Reject if RR,YY,GG or illegal color

24
Zero-knowledge proof demo

25
Q P F M O N L K J I H G E C B D A

26
Q P F M O N L K J I H G E C B D A

27
Q P F M O N L K J I H G E C B D A

28
Q P F M O N L K J I H G E C B D A

29
Q P F M O N L K J I H G E C B D A

30
Q P F M O N L K J I H G E C B D A

31
Q P F M O N L K J I H G E C B D A

32
Q P F M O N L K J I H G E C B D A

33
Q P F M O N L K J I H G E C B D A

34
Q P F M O N L K J I H G E C B D A

35
Q P F M O N L K J I H G E C B D A

36
Q P F M O N L K J I H G E C B D A

37

38
Why is it a Zero-Knowledge Proof? Exposed information is useless (Bob learns nothing) M 3-colorable Probability [Accept] =1 (Alice always convinces Bob) M not 3-colorable Prob [Accept] <.99 Prob [Accept in 300 trials] < 1/billion (Alice rarely convince Bob)

39
What does it have to do with Riemanns Hypothesis? Theorem: There is an efficient algorithm A: A Claim + Proof length Map M Claim trueM 3-colorable Proof 3-coloring of M A is the Cook-Levin dictionary, proving that 3-coloring is NP-complete

40
Theorem [GMW] : + short proof efficient ZK proof Theorem [GMW] : fault-tolerant protocols

41
Making any protocol fault-tolerant 1.P 2 send m 1 (s 2 ) 2.P 7 send m 2 (s 7,m 1 ) 3.P 1 send m 3 (s 1,m 1,m 2 ) P1P1 s i secret s1s1 P2P2 P7P7 P3P3 s2s2 s3s3 s7s7 Suppose that in step 1 P 2 sends X How do we know that X=m 1 (s 2 )? s 2 is a short proof of correctness! P 2 proves correctness in zero-knowledge!!

42
So Far... Fault Tolerance (we can force players to behave well!) ?Privacy/Secrecy (even when all players behave well)

43
Private communication Alice and Bob want to have a completely private conversation. They share no private information Many in this audience has already faced and solved this problem often!

44
Public-key encryption E-commerce security Personal Digital envelope xE (x) Easy for everyone I want to purchase War and Peace. My credit card is number is you Hard for everyone EBEB ECEC EAEA B Easy for Bob Diffie-Hellman, Merkle Rivest-Shamir-Adleman Factoring is hard

45
The Millionaires Problem - Both want to know who is richer - Neither gets any other information 0 if A>B g(A,B)= 1 if A B A B

46
Computing with secret inputs g … S1S1 S2S2 SnSn Elections: g = Majority All players are honest. All players learn g(S 1,S 2,…,S n ) No subset learns anything more 0 Democrats S i = 1 Republicans SiSi … winner

47
How to compute natural functions privately? Generalize: Try to do it for every function Specialize: Identify a universal function Solve it (using special envelopes) Yao 1987 Oblivious computation

48
Computation in small steps 11 g(inputs) V V V V V 0 V V OR AND V Ignore privacy. Every g has a Boolean circuit

49
a Alice b Bob AND Possible with personal Axiom 2: Factoring is hard AND is universal Computing with envelopes I

50
Computing with envelopes II 11 g(inputs) V V V V V 0 1 V

51
Summary Practically every cryptographic task can be performed securely & privately Assuming that players are computationally bounded and Factoring is hard. -Computational complexity is essential! -Hard problems can be useful! - The theory predated (& enabled) the Internet - What if factoring is easy? - We have (very) few alternatives. Major open question: Can cryptography be based on NP-complete problems ?

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google