Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography and Pseudorandomness

Published byCorey Dawson Modified over 6 years ago

Similar presentations

Presentation on theme: "Cryptography and Pseudorandomness"— Presentation transcript:

1 Cryptography and Pseudorandomness
Theoretical ideas behind e-commerce and the Internet revolution Avi Wigderson Institute for Advanced Study

2 Plan - Cryptography before computational complexity
- The ambitions of modern cryptography The assumptions of modern cryptography The “digital envelope” abstraction Blackboard break: Formalizing some of the defs. Psudorandomness, and modern broader context. Hardness amplification proof. Zero-knowledge proofs

3 Cryptography before 1970s Alice Bob Secret communication
Assumes Alice and Bob share Information which no one else has

4 Secret communication since 1970s
Alice and Bob want to have a completely private conversation. They share no private information Many in this audience has already faced and solved this problem often! Alice, Bob and their problems were born before cryptography! This famous 60’s movies is about discussing your feelings. Alice and Bob want to do so in a manner that will not allow carol and Ted To understand a single word. They share no common private information.

5 Public-key encryption, e-commerce security
I want to purchase “War and Peace”. My credit card is number is you Public-key encryption, e-commerce security Diffie-Hellman, Merkle, Rivest-Shamir-Adleman, Rabin Key conceptual ideas: complexity-based crypto, one-way and trapdoor functions This is the important idea of public-key cryptography, which initiated computationally based crypto. We need more than the digital envelope as we defined it, but rather “personal” envelopes. Eg Bob’s envelopes can allow anyone to send him secret information, which only he can understand. No prior shared information is needed – only the hardness of factoring (the famous RSA protocol) Goldwasser-Micali, Blum-Micali, Yao 1981 Key formal definitions, techniques and proofs: Computational indistinuishability, pseudorandomness

6 Modern Cryptography Any task with conflict between privacy and resilience. Mathematics of - Encryption - Secret exchange - Identification - Poker game on the phone - Money transfer - Public lottery These two basic issues occur in lots of human interactions. Usually, physical implements were invented to deal with privacy & resilience - Public bids - Sign contracts Digitally, with no trusted parties Mostly developed before the Internet

7 What are we assuming? The axioms underlying modern cryptography

8 Axiom 1: Agents are computationally limited (say, to polynomial time)
Consequence 1: Only tasks having efficient algorithms can be performed This can be defined in many ways – one common one is that Agents can toss coins, and compute for polynomial time (but other definitions make sense, such as memory bounds etc).

9 Easy and Hard Problems asymptotic complexity of functions
Multiplication mult(23,67) = 1541 grade school algorithm: n2 steps on n digit inputs EASY Can be performed quickly for huge integers Factoring factor(1541) = (23,67) best known algorithm: exp(n) steps on n digits HARD? We don’t know! We’ll assume it. Axiom 2: Factoring is hard!

10 Axiom 1: Agents are computationally limited Axiom 2: Factoring is hard
Easy p,q pq Impossible (p,q) and pq are information theoretically equivalent for primes p,q. However, computationally they are very different! Theorem: Axioms  digital

11 One-way functions Axiom 1: Agents are computationally limited
Axiom 2’: The exist one-way functions E x E(x) Easy Impossible Example: E(p,q) = pq E is multiplication We have other E’s More generally, we can assume “one-way” functions, and multiplication is one of a few candidates for such function we have. Nature may provide others (but this is only an analogy). Easy Impossible Nature’s one-way functions: 2nd law of Thermodynamics

12 Envelopes as commitments
Blum 1981 Envelopes as commitments Alice if I get the car (else you do) Bob flipping... flipping... You lost! What did you pick? E(x) x OPEN CLOSED Here the players are on the phone, They cannot see what the other is doing. They decide to toss a coin and see who gets the car – can they do it? The envelope prevents Bob from seeing the value, but Alice can’t change her mind later. Alice can insert any x (even 1 bit) Bob cannot compute content (even partial info) Alice cannot change content (E(x) defines x) Alice can prove to Bob that x is the content

13 Switching to a black board lecture
Intermission – Switching to a black board lecture Formal definititions of computational pseudorandomness. Connections and generalizations of these defs to arithmetic combinatorics. Using these defs to define digital envelope (formally, a bit-commitment scheme) Survey by Salil Vadhan: Theory came much before practice!

14 Zero-knowledge proofs
Theory came much before practice!

15 Copyrights Dr. Alice: I can prove Riemann’s Hypothesis
Prof. Bob: Impossible! What is the proof? Dr. Alice: Lemma…Proof…Lemma…Proof... Another example where wishful thinking helps. Any other situation if protecting intellectual rights is relevant. Prof. Bob: Amazing!! I’ll recommend tenure Amazing!! I’ll publish first

16 Zero-Knowledge Proof “Claim” Bob Alice (“proof”) Accept/Reject
Goldwasser-Micali -Rackoff “Claim” Bob Alice (“proof”) Accept/Reject Formally defining zero-knowledge is quite complicated. But the inuition is simple. Alice and Bob both know the claim to be proven. They can each toss random coins. They interact for a few rounds, after which Bob decides to accept or reject the claim. They can use randomness, and Bob fails to detect a false claim by an arbitrarily small probability (which he chooses, and depends only on his coin tosses). Bob accepts Bob learns nothing* “Claim” true  “Claim” false  Bob rejects with high probability

17 The universality of Zero-Knowledge
Goldreich-Micali -Wigderson 1986 Theorem: Everything you can prove at all, you can prove in Zero-Knowledge We’ll see the intuition for the proof of this universality theorem in several stages. First, we’ll argue it for “map-coloring claims”, and demo a zero-knowledge proof for such claims. Then we explain why the ability to do that takes care of all possible mathematical claims

18 ZK-proofs of Map Coloring
Input: planar map M Claim: M is 3-colorable Natural mathematical Proof: 3-coloring of M (gives lots of info) Let’s look at different types of claims. We had”I know my password” and “I can prove the Riemann hypothesis”. Now – “I can color this map in 3 colors”. Famous 4-color theorem of Appel and Haken, states that every planar map can be 4-colored (so a claim that a map is 4-colorable is not an interesting one – always true). Theorem [GMW]: Such claims have ZK-proofs

19 I’ll prove this claim in zero-knowledge
Claim: This map is 3-colorable (with R Y G ) Note: if I have any 3-coloring of any map Then I immediately have 6 Q P F M O N L K J I H G E C B D A This basic combinatorial property of colorings, namely that the colors can be renamed at random, will be essential.

20 Q P F M O N L K J I H G E C D A Structure of proof:
Repeat (until satisfied) - I hide a random one of my 6 colorings in digital envelopes You pick a pair of adjacent countries I open this pair of envelopes Reject if you see RR,YY,GG or illegal color Q P F M O N L K J I H G E C B D A

21 Zero-knowledge proof demo (open two adjacent envelopes
on any subsequent slide) For each one of these colorings (encrypted by digital envelopes) which I chose randomly For each slide, do the following. First, you need to get out of presentation mode. Let the audience pick a pair of adjacent countries. Then drag the white covers of the envelopes, only on these two countries, to reveal the underlying colors. Don’t reveal the colors of any other country.

22 L K E I J G O M D B A F C N Q H P

23 L K E I J G O M D B F A C N Q H P

24 L K E I J G O M D B F A C N Q H P

25 L K E I J G O D M B F A C N Q H P

26 L K E I J G O M D B F A C N Q H P

27 L K E I J G O M D B F A C N Q H P

28 L K E I J G O M D B F A C N Q H P

29 L K E I J G O M D B F A C N Q H P

30 L K E I J G O M D B F A C N Q H P

31 L K E I J G O M D B F A C N Q H P

32 L K E I J G O M D B F A C N Q H P

33 L K E I J G O M D B F A C N Q H P

34 A, B are integers, describing the wealth of these millionaires
They want to engage in a kind of “zero-knowledge “ conversation, Which will reveal nothing to either, except who is richer.

35 Why is it a Zero-Knowledge Proof?
Exposed information is useless (random) Non-exposed info is useless (pseudorandom) (Bob learns nothing)* M 3-colorable  Probability [Accept] =1 (Alice always convinces Bob) M not 3-colorable Prob [Accept] < 1-1/n  Prob [Accept in n2 trials] < exp(-n) (Alice rarely convince Bob) [Formalizing this argument is quite complex!] If the coloring was legal, and each time a random renaming of the 6 possible ones was chosen: 1) ZK – at every step, only a pair of random distinct colors was exposed. 2) Bob would never find a reason to reject. But if the map is not 3-coloring, there must be either a pair of adjacent countries with the same color, or an illegal color somewhere. If the pair is picked randomly, Bob would catch this error with at least 1% probability. If he repeats it k times, the probability he doesn’t catch an error drops exponentially like .99k Which becomes tiny very quickly.

36 What does it have to do with Riemann’s Hypothesis?
Theorem: There is an efficient algorithm A: A “Claim” + “Proof length” Map M “Claim” true M 3-colorable Here we use the fact that 3-coloring is NP-complete, which allows a translation of any problem with a short proof into a map coloring problem (as well as the proof itself to a legal coloring) via the Cook-Levin theorem. “Proof” 3-coloring of M A is the Cook-Karp-Levin “dictionary”, Proving that 3-coloring is NP-complete

37  Theorem [GMW]: + short proof  efficient ZK proof Theorem [GMW]:
The incredible utility of ZK protocols – They guarantee correct behavior of agents, despite the existence of secrets. Theorem [GMW]:  fault-tolerant protocols

38 Summary Practically every cryptographic task can be performed securely & privately Assuming that players are computationally bounded, and that Factoring is hard. Computational complexity is essential! Randomness is essential for defining secrets Pseudorandomness essential for security proofs Hard problems can be useful! - The theory predated (& enabled) the Internet What if factoring is easy? Few alternatives! Open Q1: Base cryptography on proven hardness Open Q2: Model physical attacks realistically

Download ppt "Cryptography and Pseudorandomness"

Similar presentations

Wonders of the Digital Envelope

Wonders of the Digital Envelope
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Digital Envelopes, Zero Knowledge, and other wonders of modern cryptography (How computational complexity enables digital security & privacy) Guy Rothblum.

Digital Envelopes, Zero Knowledge, and other wonders of modern cryptography (How computational complexity enables digital security & privacy) Guy Rothblum.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.

Quadratic Residuosity and Two Distinct Prime Factor ZK Protocols By Stephen Hall.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
RSA Ramki Thurimella.

RSA Ramki Thurimella.

Similar presentations

Ads by Google