Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Interaction,

Published byVirginia Ross Modified over 8 years ago

Similar presentations

Presentation on theme: "CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Interaction,"— Presentation transcript:

1 CSC 3130: Automata theory and formal languages Andrej Bogdanov http://www.cse.cuhk.edu.hk/~andrejb/csc3130 The Chinese University of Hong Kong Interaction, randomness, and zero-knowledge Fall 2008

2

3 Authentication What happens when you type in your password?

4 Naïve authentication The server knows your password So they can impersonate you at other web sites where you use the same password login: me password: opensesame OK you server acme.com

5 “Zero-knowledge” authentication acme.com Can you convince the server that you know your password, without revealing it (and anything else)? I know the password Can you prove it?

6 What is knowledge? Example 1: Tomorrow’s lottery numbers We are ignorant of them because they are random What is ignorance? (lack of knowledge) 2311272811

7 What is ignorance? Example 2: A difficult homework problem We are ignorant because it takes a lot of work to figure out the answer Questions of this type include –Finding satisfying assignments to Boolean formulas –Finding cliques in graphs... Problem 4 (a) Show that P ≠ NP. (If you collect $1,000,000, give it to your CSC3130 instructor.)

8 Using ignorance to our advantage acme.com I know the password Can you prove it? We want to convince the server that we know the password, while keeping it ignorant of the password itself The server is convinced, but gains zero-knowledge!

9 I can convince you Bin Laden is in there, without revealing his secret location!

10 Zero-knowledge I can convince you that I know where he is But you have zero information about how to find him yourself!

11 A protocol for non-color-blindness You want to convince me you are not color-blind I pull at random either a red ball or a blue ball and show it to you You say “red” or “blue” We repeat this 10 times If you got all the answers right, I am convinced you know red from blue

12 Interaction and knowledge What knowledge did I gain from this interaction? I learned that you can tell blue from red But I also learned the colors of the balls in each glass Suppose I was color-blind Then I used you to gain some knowledge!

13 A different protocol box 1 box 2 I pull at random either a red ball or a blue ball and show it to you Each time, you say “same color as previous” or “different color from previous” We repeat 10 times If you got all the answers right, I am convinced you know red from blue But I did not gain any other knowledge!

14 Zero-knowledge Suppose I am color-blind but you are not In the first protocol, I cannot predict your answer ahead of time In the second protocol, I know what you will say, so I do not gain knowledge when you say it

15 Zero-knowledge password authentication acme.com Oded GoldreichSilvio MicaliAvi Wigderson

16 Graph coloring Theorem Task: Assign one of 3 colors to the vertices so that no edge has both endpoints of same color 3COL = {G: G has a valid 3-coloring } 3COL is NP -complete

17 NP-hardness of 3COL Proof sketch of NP -hardness: Reduce from 3SAT We describe G: 3CNF formula f graph G G has a valid 3-coloring R f is satisfiable Part I: 3 special vertices T (true), F (false), and X T F X

18 NP -hardness of 3COL Part 2: For each variable x i xixi X xixi Either x i has color of T and x i has color of F Or x i has color of F and x i has color of T Part 3: For each clause, e.g. x 1 ∨ x 2 ∨ x 3 Can be 3-colored iff clause is satisfied x1x1 x2x2 x3x3 T

19 Password authentication via 3-coloring Step 0: When you register for the web service, choose your password to be a valid 3-coloring of some (suitable) graph acme.com registration password: 1 2 3 4 5 6 G

20 Registration phase When the server asks for your password do not send the password, but send the graph G instead (without the colors) acme.com password: 1 2 3 4 5 6 G password? G

21 Intuition about registration phase Because 3-coloring is hard, the server will not be able to figure out your password (coloring) from G Later, when you try to log in, you will convince the server that you know how to color G, without revealing the coloring itself The server will be convinced you know your password but remain ignorant about what it is

22 The login phase password: You randomly permute the colors You lock each of the colors in a box and send the boxes to the server 1 2 3 4 5 6 The server chooses an edge at random and asks for the keys to the boxes at the endpoints You send the requested keys The server unlocks the two boxes and checks the colors are different Repeat this 1000 times. Login succeeds if colors always different

23 Analysis in the login phase If you are an impostor, you won’t know how to color the graph –At least one of the edges will have endpoints of the same color, and the server is likely to catch this If you are honest, the server remains ignorant about your password –Each time, he merely sees two random different colors But how do we send locked boxes and keys over the internet?

24

25 What’s next CSC 3120: Compilers Teaches you how to write parsers and compilers for your favorite programming language Fall 2010 CSC 5170: Computational Complexity Spring 2010 Computational hardness beyond NP-completeness http://www.cse.cuhk.edu.hk/~andrejb/csc5170/ CSC 5251: Cryptography Spring 2011 Tells you about the bright side of hardness! (Pending approval)

Download ppt "CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Interaction,"

Similar presentations

Theory of Computing Lecture 18 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 18 MAS 714 Hartmut Klauck.
NP-Completeness: Reductions

NP-Completeness: Reductions
The Theory of NP-Completeness

The Theory of NP-Completeness
© The McGraw-Hill Companies, Inc., 2005 8 - 1 Chapter 8 The Theory of NP-Completeness.

© The McGraw-Hill Companies, Inc., Chapter 8 The Theory of NP-Completeness.
CSC5160 Topics in Algorithms Tutorial 2 Introduction to NP-Complete Problems Feb 8 2007 Jerry Le

CSC5160 Topics in Algorithms Tutorial 2 Introduction to NP-Complete Problems Feb Jerry Le
CS21 Decidability and Tractability

CS21 Decidability and Tractability
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Computability and Complexity 15-1 Computability and Complexity Andrei Bulatov NP-Completeness.

Computability and Complexity 15-1 Computability and Complexity Andrei Bulatov NP-Completeness.
1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 23 Instructor: Paul Beame.

1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 23 Instructor: Paul Beame.
Fall 2006Costas Busch - RPI1 More NP-complete Problems.

Fall 2006Costas Busch - RPI1 More NP-complete Problems.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 24 Instructor: Paul Beame.

1 CSE 417: Algorithms and Computational Complexity Winter 2001 Lecture 24 Instructor: Paul Beame.
Lecture 20: April 12 Introduction to Randomized Algorithms and the Probabilistic Method.

Lecture 20: April 12 Introduction to Randomized Algorithms and the Probabilistic Method.
Black-box (oracle) Feed me a weighted graph G and I will tell you the weight of the max-weight matching of G.

Black-box (oracle) Feed me a weighted graph G and I will tell you the weight of the max-weight matching of G.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Clique Cover Cook’s Theorem 3SAT and Independent Set

Clique Cover Cook’s Theorem 3SAT and Independent Set
CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Interaction,

CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Interaction,
The Theory of NP-Completeness 1. What is NP-completeness? Consider the circuit satisfiability problem Difficult to answer the decision problem in polynomial.

The Theory of NP-Completeness 1. What is NP-completeness? Consider the circuit satisfiability problem Difficult to answer the decision problem in polynomial.
1 The Theory of NP-Completeness 2012/11/6 P: the class of problems which can be solved by a deterministic polynomial algorithm. NP : the class of decision.

1 The Theory of NP-Completeness 2012/11/6 P: the class of problems which can be solved by a deterministic polynomial algorithm. NP : the class of decision.
Nattee Niparnan. Easy & Hard Problem What is “difficulty” of problem? Difficult for computer scientist to derive algorithm for the problem? Difficult.

Nattee Niparnan. Easy & Hard Problem What is “difficulty” of problem? Difficult for computer scientist to derive algorithm for the problem? Difficult.

Similar presentations

Ads by Google