David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 15: From Here to Oblivion.

Slides:



Advertisements
Similar presentations
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Advertisements

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 8: Hashing Note: only 3 people.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 NP-completeness Lecture 2: Jan P The class of problems that can be solved in polynomial time. e.g. gcd, shortest path, prime, etc. There are many.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Short course on quantum computing Andris Ambainis University of Latvia.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.
CSE332: Data Abstractions Lecture 27: A Few Words on NP Dan Grossman Spring 2010.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
Oblivious Transfer based on the McEliece Assumptions
CSE 326: Data Structures NP Completeness Ben Lerner Summer 2007.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Analysis of Algorithms CS 477/677
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
Lecture 20: April 12 Introduction to Randomized Algorithms and the Probabilistic Method.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.
Module 8 – Anonymous Digital Cash Blind Signatures DigiCash coins.
Sedgewick & Wayne (2004); Chazelle (2005) Sedgewick & Wayne (2004); Chazelle (2005)
Lecture 6: Public Key Cryptography
Introduction to Public Key Cryptography
Tonga Institute of Higher Education Design and Analysis of Algorithms IT 254 Lecture 9: Cryptography.
Complexity Classes (Ch. 34) The class P: class of problems that can be solved in time that is polynomial in the size of the input, n. if input size is.
Chapter 4: Intermediate Protocols
Authentication and Authorization Authentication is the process of verifying a principal’s identity (but how to define “identity”?) –Who the person is –Or,
CSCI 3130: Formal languages and automata theory Andrej Bogdanov The Chinese University of Hong Kong Interaction,
Lecture 11: Strong Passwords
Public-Key Cryptography CS110 Fall Conventional Encryption.
1 SC700 A2 Internet Information Protocols 3/20/2001 Paper Presentation by J. Chu How to Explain Zero-Knowledge Protocols to Your Children.
David Evans CS200: Computer Science University of Virginia Computer Science Class 36: Public-Key Cryptography If you want.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Based on Schneier Chapter 5: Advanced Protocols Dulal C. Kar.
CS151 Complexity Theory Lecture 13 May 11, Outline proof systems interactive proofs and their power Arthur-Merlin games.
CSE 326: Data Structures NP Completeness Ben Lerner Summer 2007.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
CRYPTOGRAPHY. WHAT IS PUBLIC-KEY ENCRYPTION? Encryption is the key to information security The main idea- by using only public information, a sender can.
NP-COMPLETE PROBLEMS. Admin  Two more assignments…  No office hours on tomorrow.
NP-Complete problems.
Beauty and Joy of Computing Limits of Computing Ivona Bezáková CS10: UC Berkeley, April 14, 2014 (Slides inspired by Dan Garcia’s slides.)
Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830.
Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even.
CSCI 3130: Formal languages and automata theory Andrej Bogdanov The Chinese University of Hong Kong Interaction,
David Evans CS200: Computer Science University of Virginia Computer Science Lecture 15: Intractable Problems (Smiley.
CS6045: Advanced Algorithms NP Completeness. NP-Completeness Some problems are intractable: as they grow large, we are unable to solve them in reasonable.
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 8: Crash Course in Computational Complexity.
David Luebke 1 2/18/2016 CS 332: Algorithms NP Completeness Continued: Reductions.
Cryptography CS Lecture 19 Prof. Amit Sahai.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
David Evans CS200: Computer Science University of Virginia Computer Science Lecture 23: Intractable Problems (Smiley Puzzles.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 10: Certificates and Hashes.
Zero-Knowledge Proofs Ben Hosp. Classical Proofs A proof is an argument for the truth or correctness of an assertion. A classical proof is an unambiguous.
The NP class. NP-completeness Lecture2. The NP-class The NP class is a class that contains all the problems that can be decided by a Non-Deterministic.
Bit Commitment, Fair Coin Flips, and One-Way Accumulators Matt Ashoff 11/9/2004 Cryptographic Protocols.
1 CSE 326: Data Structures: Graphs Lecture 23: Wednesday, March 5 th, 2003.
P & NP.
Topic 36: Zero-Knowledge Proofs
Introduction to Randomized Algorithms and the Probabilistic Method
Multi-Party Proofs and Computation
The first Few Slides stolen from Boaz Barak
Class 14: Intractable Problems CS150: Computer Science
Interactive Proofs Adapted from Oded Goldreich’s course lecture notes.
Interactive Proofs and Secure Multi-Party Computation
ITIS 6200/8200 Chap 5 Dr. Weichao Wang.
Presentation transcript:

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 15: From Here to Oblivion

31 Oct 2001University of Virginia CS 5882 Menu Oblivious Transfer Zero-Knowledge Proofs (Not “No Knowledge Proofs”)

31 Oct 2001University of Virginia CS 5883 Oblivious Transfer Joe Kilian’s story: “Suppose your netmail is being censored by Captain Yossarian. Whenever you send a message, he censors each bit of the message with probability ½, replacing each censored bit by some reversed character. Well versed in such concepts as redundancy, this is no real problem to you. The question is, can it actually be turned around and used to your advantage?”

31 Oct 2001University of Virginia CS 5884 Oblivious Transfer Before: –Alice knows secret b –Bob knows nothing After: –Either: ½ probability: Bob knows b ½ probability: Bob knows nothing –Alice doesn’t know if Bob knows b

31 Oct 2001University of Virginia CS 5885 Is this useful? Fair Coin Toss: Pick R1, R2, b H (R1 || R2 || b), R1 AliceBob Guess g g Bob wins if g = b b, R2 Does this really (information theoretically) work?

31 Oct 2001University of Virginia CS 5886 Coin Toss with Capt. Yossarian Alice picks b 1, b 2, …, b n such that b = b 1  b 2  …  b n Sends out b 1, b 2, …, b n over ½ censored channel Bob receives half of the b i ’s (and doesn’t know anything about the others) Bob guesses g and sends it to Alice

31 Oct 2001University of Virginia CS 5887 Oblivious Coin Toss Pick b = b 1  b 2  …  b n AliceBob Guess g g Bob wins if g = b “You Lose” b 1, b 2, …, b n b 1, X, X, b 4, b 5, …, b n-1, X

31 Oct 2001University of Virginia CS 5888 Better Oblivious Coin Toss Pick b = b 1  b 2  …  b n AliceBob Guess g g Bob wins if g = b b 1, b 2, …, b n b 1, X, X, b 4, b 5, …, b n-1, X b 1, b 2, …, b n Checks the b i s he knows match Calculates b = b 1  b 2  …  b n Yossarian’s channel Is this secure?

31 Oct 2001University of Virginia CS 5889 Oblivious Transfer Can we approximate oblivious transfer without Capt. Yossarian?

31 Oct 2001University of Virginia CS Public-Key Oblivious Transfer Alice Generates 2 public-private key pairs: (KU1, KR1) (KU2, KR2) Bob KU1, KU2 Generates symmetric key K E KU1 (K) or E KU2 (K) Picks either KU1 or KU2. K1 = E KR1 (E KU? (K)) = K or meaningless bits K2 = E KR2 (E KU? (K)) = K or meaningless bits

31 Oct 2001University of Virginia CS Alice Generates 2 public-private key pairs: (KU1, KR1) (KU2, KR2) Bob KU1, KU2 Generates symmetric key K E KU1 (K) or E KU2 (K) Picks either KU1 or KU2. K1 = E KR1 (E KU? (K)) = K or meaningless bits K2 = E KR2 (E KU? (K)) = K or meaningless bits E K1 (b 1 ), E K2 (b 2 ) If Bob used KU1 : D K (E K1 (b 1 )) = b 1 D K (E K2 (b 2 )) = Meaningless

31 Oct 2001University of Virginia CS 58812

31 Oct 2001University of Virginia CS Trick or Treat Protocols

31 Oct 2001University of Virginia CS “Trick or Treat” Protocols Trick-or-Treater must convince victim that she poses a credible threat Need to prove you know a trick, without revealing what it is (otherwise you don’t need to give the treat)! Technical literature calls them Zero- Knowledge “Proofs”

31 Oct 2001University of Virginia CS Cave Protocol Quisquater and Guillou, CRYPTO ’ Victim (Verifier) stands at 1 Trick-or-Treater enters cave and walks to either 3 or 4 Victim moves to 2 Victim yells to Tricker to come out either left or right Repeat n times Tricker must know magic word to open door. Magic word door

31 Oct 2001University of Virginia CS If there’s no cave? 1.Trick-or-Treater uses constructs a problem that only someone who knows the magic word could solve. 2.Trick-or-Treater commits the solution (using a bit commitment protocol) 3.Victim picks part of the solution for Trick-or- Treater to reveal 4.Trick-or-Treater reveals part of the problem, enough to be hard to do without knowing whole solution, but not enough to help victim learn anything. 5.Repeat n times.

31 Oct 2001University of Virginia CS Graph Coloring Given a graph, pick colors of the vertices so that no connected vertices have the same color: Adapted from Steven Rudich’s slides.

31 Oct 2001University of Virginia CS Coloring How can you prove you know how to 3-color G?

31 Oct 2001University of Virginia CS How many 3-Colorings do you know? If (Y, R, Y, R, B, Y, B, R) is a valid 3-coloring, so is (R, Y, R, Y, B, R, B, Y) and(B, Y, B, Y, R, B, R, Y)

31 Oct 2001University of Virginia CS How many 3-Colorings do you know? Can permute color names in any order: 3! = 6

31 Oct 2001University of Virginia CS Zero- Knowledge “Proof” Trick-or-Treater randomly picks one of the 6 colorings Uses bit commitment to commit to the coloring – sends Victim H (R 11 || R 12 || C 1 ), R 11 H (R 21 || R 22 || C 2 ), R 21 … H (R 81 || R 82 || C 2 ), R

31 Oct 2001University of Virginia CS Zero-Knowledge “Proof” Victim picks two random connected nodes, j and k Asks Trick-or-Treater to reveal colors of those nodes Trick-or-Treater sends: C j, R j 2,C k, R k 2 Victim verifies C j and C k are different colors, and checks the hashes

31 Oct 2001University of Virginia CS Proof? If Trick-or-Treater does not know a coloring, there are two connected nodes that have the same color If Victim picks randomly, chances are 1/d (number of edges) that he will pick that edge Repeat k times, but each time the Trick-or- Treater uses a random color mapping (from the 3! possible permutations) Probability cheating Trick-or-Treater is not caught: (1 – 1/d) k

31 Oct 2001University of Virginia CS How many repetitions? (1 – 1/d) k If k = dm p = (1 – 1/d) dm = (1 – 1/d) * (1 – 1/d) … * (1 – 1/d) ln (p) = ln (1 – 1/d) + ln (1 – 1/d) + … + ln (1 – 1/d) = dm ln (1 – 1/d) You may (or may not) recall from the Birthday Paradox proof: –For 0 < x < 1:ln (1 – x)  x So, ln (p) < dm (1/d) < m p < (1/e) m

31 Oct 2001University of Virginia CS Will Tricker Get the Treat? p < e m k = dm For p <.01, we need m = 5 (1/e) 5 = How big is d ? In example, 8 (way too small – anyone can color the graph!) If P  NP, graph coloring takes time O(e d ) d around 25 becomes intractable Need md = 125 trials.

31 Oct 2001University of Virginia CS Does the Victim Learn Anything? No – victim could already easily color two connecting vertices differently Since the Tricker uses a different color mapping permutation (unknown to Victim), knowing the two vertex colors doesn’t help Committing to the colors of all vertices is what makes it convincing

31 Oct 2001University of Virginia CS A Faster Approach 1.Trick-or-Treater uses her secret and random number to transform original problem into an isomorphic hard problem. 2.Trick-or-Treater commits the solution (using a bit commitment protocol) 3.Trick-or-Treater reveals new problem. 4.Victim asks Trick-or-Treater to either: a)Prove new problem is isomorphic to old one b)Show the solution to the new problem 5.Repeat n times.

31 Oct 2001University of Virginia CS Making an isomorphic hard problem Requirements: –Can’t use solution to new problem to solve old problem (without knowing mapping) –Can’t easily solve new problem –Can show that old problem and new problem are equivalent Hmmm...any theory experts?

31 Oct 2001University of Virginia CS Graph Isomoprhism Given two graphs, G 1 = and G2 = is there a mapping between V 1 and V 2 such that G 1 and G 2 are identical? This is an NP-complete problem: –Its hard to find the mapping. –Given mapping, easy to check it is correct.

31 Oct 2001University of Virginia CS Using Graph Isomorphism Trick-or-Treater constructs a graph to represent the magic word: –Vertices are letters –Chooses edges as necessary –Hamiltonian cycle is magic word (path that goes through each vertex exactly once) –Finding a Hamiltonian cycle is NP- complete

31 Oct 2001University of Virginia CS Trick or Treat Trick-or-Treater wants to show Victim she knows a Hamiltion Cycle in graph G Trick-or-Treater constructs H, a random permutation of G –If she knows a Hamiltonian Cycle for G, it is easy to find on for H Shows Victim H, but not the cycle Victim asks for either: –Map showing G and H are isomorphic –Hamiltonian cycle for H Repeat n times (different H each time) –Each iteration catches cheater with 50% probability!

31 Oct 2001University of Virginia CS Can we perform zero-knowledge proofs for other problems? Yes! Any NP problem can be transformed into any NP-complete problem (either graph coloring or Hamiltonian cycle)

31 Oct 2001University of Virginia CS Variation: Oblivious Circuit Evaluation Alice wants to find a Hamiltonian Cycle of G. Bob has a quantum computer that can find Hamiltonian Cycles fast Bob is willing to compute for Alice, but Alice does not trust Bob to know G. Can Alice get Bob to find a Hamiltonian Cycle in G for her, without revealing G to Bob?

31 Oct 2001University of Virginia CS Oblivious Circuit Evaluation Alice Generates H an isomorphism of G Bob H Finds a cycle in H Cycle in H Maps to cycle in G Andrew Yao got the Turing Award for something like this (and lots of other contributions) last year!

31 Oct 2001University of Virginia CS Charge Keep cracking on your projects! Ask your trick-or-treaters for Hamiltonian cycles and graph isomorphisms (and keep the candy for yourself) Monday: Laura Brown, guest lecture

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.