Presentation on theme: "Wonders of the Digital Envelope"— Presentation transcript:
1Wonders of the Digital Envelope Computational complexity based cryptographyTheoretical ideas behind e-commerce and the internet revolution
2Lecture III - plan - Cryptography before computational complexity - The ambitions of modern cryptographyThe assumptions of modern cryptographyThe “digital envelope” and its powerZero-knowledge proofsPrivate communicationOblivious computation
3Cryptography before computational complexity Secret communicationAssuming shared informationwhich no one else has
4What do we want to do?Here are the ambitions of modern cryptography
5Modern Cryptography The basic conflict between: Secrecy / Privacy Resilience / Fault ToleranceTasksImplementsCode booksEncryptionDriver LicenseThese two basic issues occur in lots of human interactions.Usually, physical implements were invented to deal with privacy & resilienceIdentificationMoney transferNotes, checksSealed envelopesPublic bids
6Digitally, with no trusted parties Modern CryptographyTasksImplementsALLNONEInfo protectionLocksPoker gamePlay cardsPublic lotteryCoins, diceSign contractsLawyersWe want to do everything digitally, with no physical implements(and no trusted parties).Digitally, with no trusted parties
7What are we assuming?The axioms underlying modern cryptography
8Axiom 1: Agents are computationally limited. Consequence 1: Only tasks having efficientalgorithms can be performedThis can be defined in many ways – one common one is thatAgents can toss coins, and compute for polynomial time(but other definitions make sense, such as memory bounds etc).
9Easy and Hard Problems asymptotic complexity of functions Multiplicationmult(23,67) = 1541grade school algorithm:n2 steps on n digit inputsEASYCan be performed quicklyfor huge integersFactoringfactor(1541) = (23,67)best known algorithm:exp(n) steps on n digitsHARD?We don’t know!We’ll assume it.Axiom 2: Factoring is hard!
10Axiom 1: Agents are computationally limited Axiom 2: Factoring is hard Easyp,qpqImpossible(p,q) and pq are information theoretically equivalent for primes p,q.However, computationally they are very different!Theorem: Axioms digital
11One-way functions Axiom 1: Agents are computationally limited Axiom 2’: The exist one-way functions ExE(x)EasyImpossibleExample: E(p,q) = pqE is multiplicationWe have other E’sMore generally, we can assume “one-way” functions, and multiplication is one of a few candidates for such function we have.Nature may provide others (but this is only an analogy).EasyImpossibleNature’s one-wayfunctions: 2nd law ofThermodynamics
12Properties of the Envelope xE(x)OPENCLOSEDEasy to insert x (any value, even 1 bit)Hard to compute content (even partial info)Impossible to change content (E(x) defines x)Easy to verify that x is the contentTo prove this properties from the axioms is very difficult (even defining these exactly is difficult).These definitions are initiated in the seminal paper of Goldwasser-Micali “Probabilistic Encryption” 1981.Theorem: Cryptography
13Examples of increasing difficulty The power of thedigital envelopeExamples of increasing difficultyMind games of the 1980’s – before Internet & E-commerce were imaginedTheory came much before practice!
14Public bid (players in one room) $130$120$150Phase 1:CommitE (130)E (120)E (150)Phase 2:ExposeEveryone sees what everyone else doesAnd hears whatever everyone else saysThis is the simplest and most ideal application of real envelopes!Commitment protocol130120150Theorem: Simultaneity
15Public Lottery (on the phone) Blum1981Public Lottery (on the phone)AliceBobAlice: ifI get the car (else you do)Bob: flipping...Bob: flipping...You lost!What did you pick?Here the players are on the phone, They cannot see what the other is doing.They decide to toss a coin and see who gets the car – can they do it?The envelope prevents Bob from seeing the value, but Alice can’t change her mind later.Theorem: Symmetry breaking
16Identification / Passwords Public password fileName E (pswd)… …alice Palice =E (…)avi Pavi=E (einat)bob Pbob =E (…)login:avipassword:einatPassword file can be public, since the envelopes do not reveal their contents (the passords).On the other the computer can quickly check that a candidate password is correct, by the envelope property(applying E is easy).Computer: 1 checks if E (pswd)= Pavi2 erases password from screen
17Problem: Eavesdropping & repeated use! Wishful thinking: Theorem: IdentificationProblem: Eavesdropping & repeated use!Wishful thinking:Computer should check if I know x suchthat E (x)=Pavi without actually getting xWe login many times into the system.Very different than previous examples, where critical information was of no usefor anything after it was being revealed.Someone may be (surely is) monitoring the communication lineIt would be nice if we could convince the computer (or our bank, etc) that we know our password,without actually giving it (in this way, noone can copy it)Zero-Knowledge Proof:ConvincingReveals no information
18Copyrights Dr. Alice: I can prove Riemann’s Hypothesis Prof. Bob: Impossible! What is the proof?Dr. Alice: Lemma…Proof…Lemma…Proof...Another example where wishful thinking helps.Any other situation if protecting intellectual rights is relevant.Prof. Bob: Amazing!! I’ll recommend tenureAmazing!! I’ll publish first
19Zero-Knowledge Proof “Claim” Bob Alice (“proof”) Accept/Reject Goldwasser-Micali-Rackoff“Claim”BobAlice (“proof”)Accept/RejectFormally defining zero-knowledge is quite complicated.But the inuition is simple.Alice and Bob both know the claim to be proven.They can each toss random coins.They interact for a few rounds, after which Bob decides to accept or reject the claim.They can use randomness, and Bob fails to detect a false claim by an arbitrarily small probability(which he chooses, and depends only on his coin tosses).Bob acceptsBob learns nothing“Claim” true “Claim” false Bob rejectswith high probability
20The universality of Zero-Knowledge Goldreich-Micali-Wigderson 1986Theorem: Everything you can prove at all,you can prove in Zero-KnowledgeWe’ll see the intuition for the proof of this universality theorem in several stages.First, we’ll argue it for “map-coloring claims”, and demo a zero-knowledge proof for such claims.Then we explain why the ability to do that takes care of all possible mathematical claims
21ZK-proofs of Map Coloring Input: planar map M4-COL: is M 4-colorable?YES!3-COL: is M 3-colorable?Let’s look at different types of claims.We had”I know my password” and “I can prove the Riemann hypothesis”.Now – “I can color this map in 3 colors”.Famous 4-color theorem of Appel and Haken, states that every planar map can be 4-colored (so a claim that a map is 4-colorable is not an interesting one – always true).HARD!Typical “claim”: map M is 3-colorableTheorem [GMW]: Such claims have ZK-proofs
22I’ll prove this claim in zero-knowledge Claim: This map is 3-colorable (with R Y G )Note: if I have any3-coloring of any mapThen I immediately have 6QPFMONLKJIHGECBDAThis basic combinatorial property of colorings, namely that the colors can be renamed at random, will be essential.
23Q P F M O N L K J I H G E C D A Structure of proof: Repeat (until satisfied)- I hide a random oneof my 6 coloringsin digital envelopesYou pick a pair ofadjacent countriesI open this pair of envelopesReject if RR,YY,GG or illegal colorQPFMONLKJIHGECBDA
24Zero-knowledge proof demo For each one of these colorings (encrypted by digital envelopes) which I chose randomlyFor each slide, do the following.First, you need to get out of presentation mode.Let the audience pick a pair of adjacent countries. Then drag the white covers of the envelopes, only on these two countries, to reveal the underlying colors. Don’t reveal the colors of any other country.
37A, B are integers, describing the wealth of these millionaires They want to engage in a kind of “zero-knowledge “ conversation,Which will reveal nothing to either, except who is richer.
38Why is it a Zero-Knowledge Proof? Exposed information is useless (Bob learns nothing)M 3-colorable Probability [Accept] =1 (Alice always convinces Bob)M not 3-colorable Prob [Accept] < .99 Prob [Accept in 300 trials] < 1/billion(Alice rarely convince Bob)If the coloring was legal, and each time a random renaming of the 6 possible ones was chosen:1) ZK – at every step, only a pair of random distinct colors was exposed.2) Bob would never find a reason to reject.But if the map is not 3-coloring, there must be either a pair of adjacent countries with the same color, or an illegal color somewhere.If the pair is picked randomly, Bob would catch this error with at least 1% probability.If he repeats it k times, the probability he doesn’t catch an error drops exponentially like .99kWhich becomes tiny very quickly.
39What does it have to do with Riemann’s Hypothesis? Theorem: There is an efficient algorithm A:A“Claim” +“Proof length”Map M“Claim” trueM 3-colorableHere we use the fact that 3-coloring is NP-complete, which allows a translation of any problem with a short proof into a map coloring problem (as well as the proof itself to a legal coloring) via the Cook-Levin theorem.“Proof”3-coloring of MA is the Cook-Levin “dictionary”, provingthat 3-coloring is NP-complete
40 Theorem [GMW]: + short proof efficient ZK proof Theorem [GMW]: The incredible utility of ZK protocols –They guarantee correct behavior of agents, despite the existence of secrets.Theorem [GMW]: fault-tolerantprotocols
41si secret Making any protocol fault-tolerant 1.P2 send m1(s2) 2.P7 send m2(s7,m1)3.P1 send m3(s1,m1 ,m2)P1s7P7A protocol is just a sequence of instructions (like a program) but to many players.Each should send a message, according to a specified rule (function) at appropriate steps.The problem is how do others make sure a particular player sent the correct message – after all it depends on his/hers private secrets!We are oversimplifying here.The secrets si are encrypted before hand via E(si)The properties of the envelope allow using the proof that the players can use theseshort proofs without cheating, as they are committed to them.Suppose that in step 1 P2 sends XHow do we know that X=m1(s2)?s2 is a short proof of correctness!P2 proves correctness in zero-knowledge!!
42So Far... Fault Tolerance (we can force players to behave well!) Privacy/Secrecy(even when all players behave well)
43Private communication Alice and Bob want tohave a completely privateconversation.They share no privateinformationMany in this audience has alreadyfaced and solved this problem often!Alice, Bob and their problems were born before cryptography!This famous 60’s movies is about discussing your feelings.Alice and Bob want to do so in a manner that will not allow carol and TedTo understand a single word.They share no common private information.
44Public-key encryption E-commerce security Diffie-Hellman, MerkleRivest-Shamir-AdlemanI want to purchase “War andPeace”. My credit card isnumber isyouEAECEBThis is the important idea of public-key cryptography, which initiated computationally based crypto.We need more than the digital envelope as we defined it, but rather “personal” envelopes.Eg Bob’s envelopes can allow anyone to send him secret information, which only he can understand.No prior shared information is needed – only the hardness of factoring (the famous RSA protocol)Easy for everyonePersonalDigital envelopexE (x)BHard for everyoneEasy for BobFactoring is hard
45The Millionaires’ Problem Both want to know who is richerNeither gets any other informationPrivacy problems exist even when there are no eavesdroppers!A, B are integers, describing the wealth of these millionairesThey want to engage in a kind of “zero-knowledge “ conversation,Which will reveal nothing to either, except who is richer.0 if A>Bg(A,B)=1 if AB
46Computing with secret inputs winner0 DemocratsSi =1 Republicansg……S1S2SiSnElections: g = MajorityHere is another basic problem – elections. We want to do it digitally, so that everyone learns the outcome,But no user (or subset of users)Learns anything more than can be inferred from their secrets and the outcome.All players are honest.All players learn g(S1,S2,…,Sn)No subset learns anything more
47Yao 1987 Oblivious computation How to compute naturalfunctions privately?Generalize: Try to do it for every functionSpecialize: Identify a universal functionSolve it (using special envelopes)Here is yao’s famous “Oblivious computation” solutions to all these problems.(Yao did the 2-player case. It was generalized to any number of players inGoldreich-Micali-Wigderson 1987)
48Computation in small steps ORVIgnore privacy.Every g has aBoolean circuitg(inputs)ANDV1V1VV1First, we abstract it and generalize it, to attempt any functions.Any function g has such a “Boolean circuit”(which is how you’d implement it in hardware).One needs to add “negation” gate, but we’ll ignore it.If privacy is no issue, the players can evaluate the circuit gate by gateVVV11
49Computing with envelopes I AND is universal1Possible withpersonalaAlicebBobANDThe locality and simplicity of computation reveals that we should first somehow handle the basic steps –AND and OR.AND is a universal (complete ) problem.If we manage to solve it “privately” (OR is dual, so similar)Yao shows how to do that with personal envelopes – it is an ingenious protocol, and defining exactly what it means to “compute with envelopes”, namely how the players jointly hold the value without any of them having access to it or the ability to change it, is complex.Than we can compute any function privately!Axiom 2: Factoring is hard
50Computing with envelopes II g(inputs)11V1VV1Once we can do a basic step, we can do them all in sequence!At the end, the players have the ability to open the last envelope – the one they are interested in opening.VVV11
51SummaryPractically every cryptographic task can be performed securely & privatelyAssuming that players are computationally bounded and Factoring is hard.Computational complexity is essential!Hard problems can be useful!- The theory predated (& enabled) the Internet- What if factoring is easy?- We have (very) few alternatives.Major open question: Can cryptographybe based on NP-complete problems ?