wonders of the digital envelope avi wigderson institute for advanced study
TRANSCRIPT
Wonders of theDigital Envelope
Avi Wigderson
Institute for Advanced Study
Modern Cryptography
• Secrecy / Privacy
• Resilience / Fault ToleranceTasks Implements
Encryption Code books
Identification Driver License
Money transfer Notes, checks
Public bids Sealed envelopes
Modern Cryptography
Tasks ImplementsInformation protection LocksPoker game Play cardsPublic lottery Coins, dice
Sign contracts Lawyers
ALL NONE
No trusted parties
Complexity Based Cryptography
TIME (multiply) = n223,67 1541P
P TIME (factor) = 2n23,67 1541
Axiom 2: Factoring is computationally hard
Axiom 1: Players are computationally limited
n = binary input length, TIME = grows slowly with n
Axiom 0 : Players can toss coins
x f(x)
Easy
Hard
Theorem: One way function digital
INTEGERSINTEGERS : f that
Axiom 2: There exist one-way functions:
Properties of the Envelopef(x) x
•Easy to insert x (any value, even 1 bit)•Hard to compute content (even partial information)•Impossible to change content (f(x) defines x)•Easy to verify that x is the content
CryptographyTheorem:
OPENCLOSED
Public bid (players in one room)
Phase 1: Commit
Phase 2: Expose
P1
$130
P2
$120
P3
f(130) f(120) f(150)
130 120 150
Theorem: Simultaneity
$150
Public Lottery (on the phone)
Alice Bob
Bob: flipping... You lost!
Theorem: Symmetry breaking
Alice: if I get the car (otherwise you do)
What did you pick?Bob: flipping...
Identification - Password
Public passwd fileName f(pswd)… …alice Palice
… …avi Pavi=f(einat)… …bob Pbob
… …
Computer 1 checks if f(pswd) = Pavi
2 erases password from screen.
login: avi
password:einat
Theorem: Identification
Problem: repeated use!Computer should check if I know x such that f(x)=Pavi without getting x
Zero-Knowledge Proof:• Convincing• Reveals no information
Copyrights
Dr. Alice: I can prove the Riemann Hypothesis
Dr. Alice: Lemma…Proof…Lemma…Proof...
Prof. Bob: Impossible! What is the proof?
Prof. Bob: Amazing!! I will recommend tenure
Zero-Knowledge Proof“Claim”
Bob Alice (“proof”)
Accept/Reject“Claim” false Bob rejects
“Claim” true •Bob accepts•Bob learns nothing
With highprobability}
Map Coloring
Input: planar map G
4-COL: is G 4-colorable?
3-COL: is G 3-colorable?
YES!
HARD!
Why is it a Zero-Knowledge Proof?
• Exposed information is useless (Bob learns nothing)
• G 3-colorable Probability[Accept] =1 (Alice always convinces Bob)
• G not 3-colorable Probability[Accept] <.99
Prob[Accept in 300 experiments]<1/billion (Alice rarely convince Bob)
Why did you let me use physical implements?
What does it have to do with the Riemann Hypothesis?
Theorem: There exists an efficient algorithm A:
A“Claim” +“Proof length”
Map G
“Claim” true G 3-colorable
“Proof” A 3 coloring of G
Theorem: + short proof efficient ZK proof
Theorem: fault tolerant protocols
Making any protocolfault-tolerant
1. P2: m1=g1(s2)
2. P7: m2=g2(s7,m1)
3. P1: m3=g3(s1,m1 ,m2)
P2
s2
P7
s7
P1
s1
P3
s3
gi easy to compute, mi public knowledge
si secret
Problem: Did P1 cheat in step 3? i.e. does m3=g3(s1,m1,m2) ??
Solution: The claim “m3=g3(s1,m1,m2)” hasa short proof! Which is ….
P1 will prove it in Zero-Knowledge!
s1
So Far...
Fault Tolerance
(we can force players to behave well!)
? Privacy/Secrecy
(cannot prevent listening)
Undecipherablecommunication line
Public Key Encryption
Alice Bob
Eavesdropper: listens, does not understand
even if Alice & Bob never met before
Computing Functions on Secret Inputs
g...
X1
P1
X2
P2
Xn
Pn
Example: Ballotg = Majority
Gore 1
Bush 0iX
The players Pi are honest.• All players learn g(x1,x2,…xn)• No subset learns anything more
The Millionaires’ Problem
Alice Bob
BA
Both want to know who is richer
Neither gets any other information
BA
BABAg
if 1
if 0),(
aAlice
bBob
AND 0
0 1
0
0 1
0
1
Possible with
personal
1
0 1
100
How to ensure Privacy
Oblivious Computation
0 1 1
g(inputs)
V
V
V
VV
V
1
Theorem: every “game”, with anysecrecy requirements,can be implemented
personal
Game Theory: description of partial information games in extensive form
Trap-Door Function (personal envelope)
x fB(x)
Easy for all
Book ofFunctions
…Alice fA
…Bob fB
...
Public
New axiom: there exist personal
Easy for BobHard for others
Factoring is hard
... ...
Nature
... ...
Alice
Nature
...Alice
Bob
Information Sets
• Player’s action depends only on its information set
Completeness Theorems
Every game with: n players, s listeners, t faults can be implemented if:
• Players are computationally limited*• Trap-door functions exist• sn , tn/2* Pi, Pj communicate over a secure line i,j
s n/2 , tn/3
No limit on Computation
Information Theoretic Security
Digital Signature
Bob signs document m with signature y:
• Easy for anyone to check• Hard for everyone else to forge
myfB )((m, y)
ObliviousTransfer
“AND” protocolxA
Alice
0
0 1
0
0 10
1b=xB
Bob
+
aAlice
bBob
XOR0
1 0
1
0 1
0
1
aAlice
bBob
AND 0
0 1
0
0 1
0
1
Trivial!
Possible with
personal
Any efficient function g
g
+ + +xA
yA zB xB yb
Many players:• Secret sharing• Computing with shares
personal
Oblivious computation: any efficient function g
1 0 0 1 0 1 0
1 1 0
1 0
1
g(inputs)
1
Oblivious computation: any efficient function g
0 1 0
0 1 0
1 0
1
g(inputs)
1