Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study.

Published byReginald Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study."— Presentation transcript:

1 Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study

2 Modern Cryptography Secrecy / Privacy Resilience / Fault Tolerance TasksImplements Encryption Code books Identification Driver License Money transfer Notes, checks Public bids Sealed envelopes

3 Modern Cryptography TasksImplements Information protection Locks Poker game Play cards Public lottery Coins, dice Sign contracts Lawyers ALLNONE No trusted parties

4 Complexity Based Cryptography TIME (multiply) = n 2 23,67 1541 P P TIME (factor) = 2  n 23,67 1541 Axiom 2: Factoring is computationally hard Axiom 1: Players are computationally limited n = binary input length, TIME = grows slowly with n Axiom 0 : Players can toss coins

5 xf(x) Easy Hard Theorem: One way function  digital that Axiom 2: There exist one-way functions:

6 Properties of the Envelope f(x) x Easy to insert x (any value, even 1 bit) Hard to compute content (even partial information) Impossible to change content (f(x) defines x) Easy to verify that x is the content  Cryptography Theorem : OPENCLOSED

7 Public bid (players in one room) Phase 1: Commit Phase 2: Expose P1P1 $130 P2P2 $120 P3P3 f(130)f(120)f(150) 130120150 Theorem:  Simultaneity $150

8 Public Lottery (on the phone) AliceBob Bob: flipping... You lost! Theorem:  Symmetry breaking Alice: if I get the car (otherwise you do) What did you pick?Bob: flipping...

9 Identification - Password Public passwd file Namef(pswd)… aliceP alice… aviP avi =f(einat)… bobP bob… Computer 1 checks if f(pswd) = P avi 2 erases password from screen. login:avi password:einat

10 Theorem:  Identification Problem: repeated use! Computer should check if I know x such that f(x)=P avi without getting x Zero-Knowledge Proof: Convincing Reveals no information

11 Copyrights Dr. Alice: I can prove the Riemann Hypothesis Dr. Alice: Lemma…Proof…Lemma…Proof... Prof. Bob: Impossible! What is the proof? Prof. Bob: Amazing!! I will recommend tenure

12 Zero-Knowledge Proof “Claim” BobAlice (“proof”) Accept/Reject “Claim” false   Bob rejects “Claim” true  Bob accepts Bob learns nothing With high probability }

13 Map Coloring Input: planar map G 4-COL: is G 4-colorable? 3-COL: is G 3-colorable? YES! HARD!

14 Why is it a Zero-Knowledge Proof? Exposed information is useless (Bob learns nothing) G 3-colorable  Probability[Accept] =1 (Alice always convinces Bob) G not 3-colorable  Probability[Accept] <.99  Prob[Accept in 300 experiments]<1/billion (Alice rarely convince Bob) Why did you let me use physical implements?

15 What does it have to do with the Riemann Hypothesis? Theorem: There exists an efficient algorithm A: A “Claim” + “Proof length” Map G “Claim” trueG 3-colorable “Proof” A 3 coloring of G

16 Theorem: + short proof  efficient ZK proof  Theorem:  fault tolerant protocols

17 Making any protocol fault-tolerant 1. P 2 : m 1 =g 1 (s 2 ) 2. P 7 : m 2 =g 2 (s 7,m 1 ) 3. P 1 : m 3 =g 3 (s 1,m 1,m 2 ) P2P2 s2s2 P7P7 s7s7 P1P1 s1s1 P3P3 s3s3 g i easy to compute, m i public knowledge s i secret

18 Problem: Did P 1 cheat in step 3? i.e. does m 3 =g 3 (s 1,m 1,m 2 ) ?? Solution: The claim “m 3 =g 3 (s 1,m 1,m 2 )” has a short proof! Which is …. P 1 will prove it in Zero-Knowledge! s1s1

19 So Far... Fault Tolerance (we can force players to behave well!) ?Privacy/Secrecy (cannot prevent listening)

20 Undecipherable communication line Public Key Encryption AliceBob Eavesdropper: listens, does not understand even if Alice & Bob never met before

21 Computing Functions on Secret Inputs g... X1P1X1P1 X2P2X2P2 XnPnXnPn Example: Ballot g = Majority The players P i are honest. All players learn g(x 1,x 2,…x n ) No subset learns anything more

22 The Millionaires’ Problem AliceBob BA Both want to know who is richer Neither gets any other information

23 a Alice b Bob AND 0 01 0 01 0 1 Possible with personal

24 1 01 100 How to ensure Privacy Oblivious Computation 011 g(inputs) V V V V V V 1

25 Theorem:  every “game”, with any secrecy requirements, can be implemented personal Game Theory: description of partial information games in extensive form

26 Trap-Door Function (personal envelope) xf B (x) Easy for all Book of Functions … Alice f A … Bob f B... Public New axiom: there exist personal Easy for Bob Hard for others Factoring is hard 

27 ... Nature... Alice Nature... Alice Bob Information Sets Player’s action depends only on its information set

28 Completeness Theorems Every game with: n players, s listeners, t faults can be implemented if: Players are computationally limited* Trap-door functions exist s  n,t  n/2 * P i, P j communicate over a secure line  i,j s  n/2,t  n/3 No limit on Computation Information Theoretic Security

29 Digital Signature Bob signs document m with signature y: Easy for anyone to check Hard for everyone else to forge (m, y)

30 Oblivious Transfer “AND” protocol xAxA Alice 0 01 0 01 b=x B Bob

31 + a Alice b Bob XOR 0 10 1 01 0 1 a Alice b Bob AND 0 01 0 01 0 1 Trivial! Possible with personal

32 Any efficient function g g + ++ xAxA yAyA zBzB xBxB ybyb Many players: Secret sharing Computing with shares personal

33 Oblivious computation: any efficient function g 1 0 01 0 110 10 1 g(inputs)    1

34 Oblivious computation: any efficient function g 0 1 0 010 10 1 g(inputs)    1

Download ppt "Wonders of the Digital Envelope Avi Wigderson Institute for Advanced Study."

Similar presentations

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.

Public Key Cryptography Nick Feamster CS 6262 Spring 2009.
Moni Naor מוני נאור Cryptography and Sudoku

Moni Naor מוני נאור Cryptography and Sudoku
Wonders of the Digital Envelope

Wonders of the Digital Envelope
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
1 Cryptography on weak BSS model of computation Ilir Çapuni

1 Cryptography on weak BSS model of computation Ilir Çapuni
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Proof, Computation, & Randomness Kurt Gödel John von Neumann and Theoretical Computer Science Avi Wigderson School of Mathematics Institute for Advanced.

Proof, Computation, & Randomness Kurt Gödel John von Neumann and Theoretical Computer Science Avi Wigderson School of Mathematics Institute for Advanced.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Public Key Algorithms …….. RAIT M. Chatterjee.

Public Key Algorithms …….. RAIT M. Chatterjee.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.

The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.
UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.

UCB Security Jean Walrand EECS. UCB Outline Threats Cryptography Basic Mechanisms Secret Key Public Key Hashing Security Systems Integrity Key Management.

Similar presentations

Ads by Google