wonders of the digital envelope avi wigderson institute for advanced study

Wonders of theDigital Envelope

Avi Wigderson

Institute for Advanced Study

Modern Cryptography

• Secrecy / Privacy

• Resilience / Fault ToleranceTasks Implements

Encryption Code books

Identification Driver License

Money transfer Notes, checks

Public bids Sealed envelopes

Modern Cryptography

Tasks ImplementsInformation protection LocksPoker game Play cardsPublic lottery Coins, dice

Sign contracts Lawyers

ALL NONE

No trusted parties

Complexity Based Cryptography

TIME (multiply) = n223,67 1541P

P TIME (factor) = 2n23,67 1541

Axiom 2: Factoring is computationally hard

Axiom 1: Players are computationally limited

n = binary input length, TIME = grows slowly with n

Axiom 0 : Players can toss coins

x f(x)

Easy

Hard

Theorem: One way function digital

INTEGERSINTEGERS : f that

Axiom 2: There exist one-way functions:

Properties of the Envelopef(x) x

•Easy to insert x (any value, even 1 bit)•Hard to compute content (even partial information)•Impossible to change content (f(x) defines x)•Easy to verify that x is the content

CryptographyTheorem:

OPENCLOSED

Public bid (players in one room)

Phase 1: Commit

Phase 2: Expose

P1

$130

P2

$120

P3

f(130) f(120) f(150)

130 120 150

Theorem: Simultaneity

$150

Public Lottery (on the phone)

Alice Bob

Bob: flipping... You lost!

Theorem: Symmetry breaking

Alice: if I get the car (otherwise you do)

What did you pick?Bob: flipping...

Identification - Password

Public passwd fileName f(pswd)… …alice Palice

… …avi Pavi=f(einat)… …bob Pbob

… …

Computer 1 checks if f(pswd) = Pavi

2 erases password from screen.

login: avi

password:einat

Theorem: Identification

Problem: repeated use!Computer should check if I know x such that f(x)=Pavi without getting x

Zero-Knowledge Proof:• Convincing• Reveals no information

Copyrights

Dr. Alice: I can prove the Riemann Hypothesis

Dr. Alice: Lemma…Proof…Lemma…Proof...

Prof. Bob: Impossible! What is the proof?

Prof. Bob: Amazing!! I will recommend tenure

Zero-Knowledge Proof“Claim”

Bob Alice (“proof”)

Accept/Reject“Claim” false Bob rejects

“Claim” true •Bob accepts•Bob learns nothing

With highprobability}

Map Coloring

Input: planar map G

4-COL: is G 4-colorable?

3-COL: is G 3-colorable?

YES!

HARD!

Why is it a Zero-Knowledge Proof?

• Exposed information is useless (Bob learns nothing)

• G 3-colorable Probability[Accept] =1 (Alice always convinces Bob)

• G not 3-colorable Probability[Accept] <.99

Prob[Accept in 300 experiments]<1/billion (Alice rarely convince Bob)

Why did you let me use physical implements?

What does it have to do with the Riemann Hypothesis?

Theorem: There exists an efficient algorithm A:

A“Claim” +“Proof length”

Map G

“Claim” true G 3-colorable

“Proof” A 3 coloring of G

Theorem: + short proof efficient ZK proof

Theorem: fault tolerant protocols

Making any protocolfault-tolerant

1. P2: m1=g1(s2)

2. P7: m2=g2(s7,m1)

3. P1: m3=g3(s1,m1 ,m2)

P2

s2

P7

s7

P1

s1

P3

s3

gi easy to compute, mi public knowledge

si secret

Problem: Did P1 cheat in step 3? i.e. does m3=g3(s1,m1,m2) ??

Solution: The claim “m3=g3(s1,m1,m2)” hasa short proof! Which is ….

P1 will prove it in Zero-Knowledge!

s1

So Far...

Fault Tolerance

(we can force players to behave well!)

? Privacy/Secrecy

(cannot prevent listening)

Undecipherablecommunication line

Public Key Encryption

Alice Bob

Eavesdropper: listens, does not understand

even if Alice & Bob never met before

Computing Functions on Secret Inputs

g...

X1

P1

X2

P2

Xn

Pn

Example: Ballotg = Majority

Gore 1

Bush 0iX

The players Pi are honest.• All players learn g(x1,x2,…xn)• No subset learns anything more

The Millionaires’ Problem

Alice Bob

BA

Both want to know who is richer

Neither gets any other information

BA

BABAg

if 1

if 0),(

aAlice

bBob

AND 0

0 1

0

0 1

0

1

Possible with

personal

1

0 1

100

How to ensure Privacy

Oblivious Computation

0 1 1

g(inputs)

V

V

V

VV

V

1

Theorem: every “game”, with anysecrecy requirements,can be implemented

personal

Game Theory: description of partial information games in extensive form

Trap-Door Function (personal envelope)

x fB(x)

Easy for all

Book ofFunctions

…Alice fA

…Bob fB

...

Public

New axiom: there exist personal

Easy for BobHard for others

Factoring is hard

... ...

Nature

... ...

Alice

Nature

...Alice

Bob

Information Sets

• Player’s action depends only on its information set

Completeness Theorems

Every game with: n players, s listeners, t faults can be implemented if:

• Players are computationally limited*• Trap-door functions exist• sn , tn/2* Pi, Pj communicate over a secure line i,j

s n/2 , tn/3

No limit on Computation

Information Theoretic Security

Digital Signature

Bob signs document m with signature y:

• Easy for anyone to check• Hard for everyone else to forge

myfB )((m, y)

ObliviousTransfer

“AND” protocolxA

Alice

0

0 1

0

0 10

1b=xB

Bob

+

aAlice

bBob

XOR0

1 0

1

0 1

0

1

aAlice

bBob

AND 0

0 1

0

0 1

0

1

Trivial!

Possible with

personal

Any efficient function g

g

+ + +xA

yA zB xB yb

Many players:• Secret sharing• Computing with shares

personal

Oblivious computation: any efficient function g

1 0 0 1 0 1 0

1 1 0

1 0

1

g(inputs)

1

Oblivious computation: any efficient function g

0 1 0

0 1 0

1 0

1

g(inputs)

1