Cryptography and Pseudorandomness Theoretical ideas behind e-commerce and the Internet revolution Avi Wigderson Institute for Advanced Study
Plan - Cryptography before computational complexity - The ambitions of modern cryptography The assumptions of modern cryptography The “digital envelope” abstraction Blackboard break: Formalizing some of the defs. Psudorandomness, and modern broader context. Hardness amplification proof. Zero-knowledge proofs
Cryptography before 1970s Alice Bob Secret communication Assumes Alice and Bob share Information which no one else has
Secret communication since 1970s Alice and Bob want to have a completely private conversation. They share no private information Many in this audience has already faced and solved this problem often! Alice, Bob and their problems were born before cryptography! This famous 60’s movies is about discussing your feelings. Alice and Bob want to do so in a manner that will not allow carol and Ted To understand a single word. They share no common private information.
Public-key encryption, e-commerce security I want to purchase “War and Peace”. My credit card is number is 1111 2222 3333 4444 you Public-key encryption, e-commerce security Diffie-Hellman, Merkle, Rivest-Shamir-Adleman, Rabin 1976-77 Key conceptual ideas: complexity-based crypto, one-way and trapdoor functions This is the important idea of public-key cryptography, which initiated computationally based crypto. We need more than the digital envelope as we defined it, but rather “personal” envelopes. Eg Bob’s envelopes can allow anyone to send him secret information, which only he can understand. No prior shared information is needed – only the hardness of factoring (the famous RSA protocol) Goldwasser-Micali, Blum-Micali, Yao 1981 Key formal definitions, techniques and proofs: Computational indistinuishability, pseudorandomness
Modern Cryptography Any task with conflict between privacy and resilience. Mathematics of - Encryption - Secret exchange - Identification - Poker game on the phone - Money transfer - Public lottery These two basic issues occur in lots of human interactions. Usually, physical implements were invented to deal with privacy & resilience - Public bids - Sign contracts Digitally, with no trusted parties Mostly developed before the Internet
What are we assuming? The axioms underlying modern cryptography
Axiom 1: Agents are computationally limited (say, to polynomial time) Consequence 1: Only tasks having efficient algorithms can be performed This can be defined in many ways – one common one is that Agents can toss coins, and compute for polynomial time (but other definitions make sense, such as memory bounds etc).
Easy and Hard Problems asymptotic complexity of functions Multiplication mult(23,67) = 1541 grade school algorithm: n2 steps on n digit inputs EASY Can be performed quickly for huge integers Factoring factor(1541) = (23,67) best known algorithm: exp(n) steps on n digits HARD? We don’t know! We’ll assume it. Axiom 2: Factoring is hard!
Axiom 1: Agents are computationally limited Axiom 2: Factoring is hard Easy p,q pq Impossible (p,q) and pq are information theoretically equivalent for primes p,q. However, computationally they are very different! Theorem: Axioms digital
One-way functions Axiom 1: Agents are computationally limited Axiom 2’: The exist one-way functions E x E(x) Easy Impossible Example: E(p,q) = pq E is multiplication We have other E’s More generally, we can assume “one-way” functions, and multiplication is one of a few candidates for such function we have. Nature may provide others (but this is only an analogy). Easy Impossible Nature’s one-way functions: 2nd law of Thermodynamics
Envelopes as commitments Blum 1981 Envelopes as commitments Alice if I get the car (else you do) Bob flipping... flipping... You lost! What did you pick? E(x) x OPEN CLOSED Here the players are on the phone, They cannot see what the other is doing. They decide to toss a coin and see who gets the car – can they do it? The envelope prevents Bob from seeing the value, but Alice can’t change her mind later. Alice can insert any x (even 1 bit) Bob cannot compute content (even partial info) Alice cannot change content (E(x) defines x) Alice can prove to Bob that x is the content
Switching to a black board lecture Intermission – Switching to a black board lecture Formal definititions of computational pseudorandomness. Connections and generalizations of these defs to arithmetic combinatorics. Using these defs to define digital envelope (formally, a bit-commitment scheme) Survey by Salil Vadhan: http://people.seas.harvard.edu/~salil/pseudorandomness/ Theory came much before practice!
Zero-knowledge proofs Theory came much before practice!
Copyrights Dr. Alice: I can prove Riemann’s Hypothesis Prof. Bob: Impossible! What is the proof? Dr. Alice: Lemma…Proof…Lemma…Proof... Another example where wishful thinking helps. Any other situation if protecting intellectual rights is relevant. Prof. Bob: Amazing!! I’ll recommend tenure Amazing!! I’ll publish first
Zero-Knowledge Proof “Claim” Bob Alice (“proof”) Accept/Reject Goldwasser-Micali -Rackoff 1984 “Claim” Bob Alice (“proof”) Accept/Reject Formally defining zero-knowledge is quite complicated. But the inuition is simple. Alice and Bob both know the claim to be proven. They can each toss random coins. They interact for a few rounds, after which Bob decides to accept or reject the claim. They can use randomness, and Bob fails to detect a false claim by an arbitrarily small probability (which he chooses, and depends only on his coin tosses). Bob accepts Bob learns nothing* “Claim” true “Claim” false Bob rejects with high probability
The universality of Zero-Knowledge Goldreich-Micali -Wigderson 1986 Theorem: Everything you can prove at all, you can prove in Zero-Knowledge We’ll see the intuition for the proof of this universality theorem in several stages. First, we’ll argue it for “map-coloring claims”, and demo a zero-knowledge proof for such claims. Then we explain why the ability to do that takes care of all possible mathematical claims
ZK-proofs of Map Coloring Input: planar map M Claim: M is 3-colorable Natural mathematical Proof: 3-coloring of M (gives lots of info) Let’s look at different types of claims. We had”I know my password” and “I can prove the Riemann hypothesis”. Now – “I can color this map in 3 colors”. Famous 4-color theorem of Appel and Haken, states that every planar map can be 4-colored (so a claim that a map is 4-colorable is not an interesting one – always true). Theorem [GMW]: Such claims have ZK-proofs
I’ll prove this claim in zero-knowledge Claim: This map is 3-colorable (with R Y G ) Note: if I have any 3-coloring of any map Then I immediately have 6 Q P F M O N L K J I H G E C B D A This basic combinatorial property of colorings, namely that the colors can be renamed at random, will be essential.
Q P F M O N L K J I H G E C D A Structure of proof: Repeat (until satisfied) - I hide a random one of my 6 colorings in digital envelopes You pick a pair of adjacent countries I open this pair of envelopes Reject if you see RR,YY,GG or illegal color Q P F M O N L K J I H G E C B D A
Zero-knowledge proof demo (open two adjacent envelopes on any subsequent slide) For each one of these colorings (encrypted by digital envelopes) which I chose randomly For each slide, do the following. First, you need to get out of presentation mode. Let the audience pick a pair of adjacent countries. Then drag the white covers of the envelopes, only on these two countries, to reveal the underlying colors. Don’t reveal the colors of any other country.
L K E I J G O M D B A F C N Q H P
L K E I J G O M D B F A C N Q H P
L K E I J G O M D B F A C N Q H P
L K E I J G O D M B F A C N Q H P
L K E I J G O M D B F A C N Q H P
L K E I J G O M D B F A C N Q H P
L K E I J G O M D B F A C N Q H P
L K E I J G O M D B F A C N Q H P
L K E I J G O M D B F A C N Q H P
L K E I J G O M D B F A C N Q H P
L K E I J G O M D B F A C N Q H P
L K E I J G O M D B F A C N Q H P
A, B are integers, describing the wealth of these millionaires They want to engage in a kind of “zero-knowledge “ conversation, Which will reveal nothing to either, except who is richer.
Why is it a Zero-Knowledge Proof? Exposed information is useless (random) Non-exposed info is useless (pseudorandom) (Bob learns nothing)* M 3-colorable Probability [Accept] =1 (Alice always convinces Bob) M not 3-colorable Prob [Accept] < 1-1/n Prob [Accept in n2 trials] < exp(-n) (Alice rarely convince Bob) [Formalizing this argument is quite complex!] If the coloring was legal, and each time a random renaming of the 6 possible ones was chosen: 1) ZK – at every step, only a pair of random distinct colors was exposed. 2) Bob would never find a reason to reject. But if the map is not 3-coloring, there must be either a pair of adjacent countries with the same color, or an illegal color somewhere. If the pair is picked randomly, Bob would catch this error with at least 1% probability. If he repeats it k times, the probability he doesn’t catch an error drops exponentially like .99k Which becomes tiny very quickly.
What does it have to do with Riemann’s Hypothesis? Theorem: There is an efficient algorithm A: A “Claim” + “Proof length” Map M “Claim” true M 3-colorable Here we use the fact that 3-coloring is NP-complete, which allows a translation of any problem with a short proof into a map coloring problem (as well as the proof itself to a legal coloring) via the Cook-Levin theorem. “Proof” 3-coloring of M A is the Cook-Karp-Levin “dictionary”, Proving that 3-coloring is NP-complete
Theorem [GMW]: + short proof efficient ZK proof Theorem [GMW]: The incredible utility of ZK protocols – They guarantee correct behavior of agents, despite the existence of secrets. Theorem [GMW]: fault-tolerant protocols
Summary Practically every cryptographic task can be performed securely & privately Assuming that players are computationally bounded, and that Factoring is hard. Computational complexity is essential! Randomness is essential for defining secrets Pseudorandomness essential for security proofs Hard problems can be useful! - The theory predated (& enabled) the Internet What if factoring is easy? Few alternatives! Open Q1: Base cryptography on proven hardness Open Q2: Model physical attacks realistically